In Microsoft Defender for Endpoint advanced hunting, when Network device discovery is enabled, onboarded devices can detect other devices on the same network. To build a hunting query that identifies discovered network devices and shows which onboarded device discovered each, you use the SeenBy() built-in function.
Microsoft’s official Defender XDR KQL function documentation explains:
“The SeenBy() function returns the list of devices that have observed the entity (for example, IP address, URL, or network device). This function is typically used to correlate discovered devices with the onboarded devices that detected them.”
For example, you can write:
DeviceNetworkInfo
| where NetworkDeviceRole == "Discovered"
| extend DiscoveringDevice = SeenBy()
This function effectively maps the discovered asset to the detecting (onboarded) device.
Other options are not applicable:
current_cluster,endpoint() — not a valid Defender hunting function.
DeviceFromIP() — resolves IP addresses to onboarded devices but does not show which device discovered another.
next() — a general KQL operator for sequencing data, not for correlating network discovery events.
Therefore, to identify discovered network devices and the discovering endpoints, the correct built-in function is SeenBy().
