Forum Discussion
marktait19
Feb 17, 2023Copper Contributor
FirstDetected Field - where can I find it in the Defender schema?
Hi - in Microsoft 365 Defender, when running Kusto queries - which table will I find the "First Detected" field against a device?
I can see it in the Device Summary page, but can't find it in any of the available tables in the schema.
Thanks for any advice,
Mark
- DylanInfosecIron Contributor
Hi marktait19 and all,
I'm not sure this particular field exists within the Defender Advanced Hunting schema. Perhaps if there was a DeviceFileInfo table??
There may be something we can do in limited, albeit highly specific situations. On a particularly unique file we could run it through the FileProfile() function. (via the Defender API). This function spits out a bunch of info on the input file including global prevalence and Global First Seen. If the file is unique enough this may be an option to you.
Personally, alongside the many great fields it already pulls in and the particular field you requested I’d love to see “Org devices” aka Org prevalence as well.This function is resource intensive so use it sparingly and only after as much filtering down as possible.
Good luck,
Dylan
- dullinternet_1989Copper Contributor
DylanInfosec Thank you for your input. Unfortunately, the field does not exist in the Defender Advanced Hunting Schema. However, it does pull from analytics and goes under a different title.
I am still not entirely sure how to get these two to merge.
- marktait19Copper ContributorHi - my client hasn't opened up the API for me yet. I only have access to Hunting -> Advanced Hunting.
Is the cveFirstSeenTimestamp - only available via the API?
Is there an equivalent field I can find in Advanced Hunting?
Thanks again,
Mark
- NazmulHassanCopper Contributor
marktait19, have you found anything on this?
- dullinternet_1989Copper Contributor
I would love to know if anyone has found anything on this. NazmulHassan