Forum Discussion
FirstDetected Field - where can I find it in the Defender schema?
Hi marktait19 and all,
I'm not sure this particular field exists within the Defender Advanced Hunting schema. Perhaps if there was a DeviceFileInfo table??
There may be something we can do in limited, albeit highly specific situations. On a particularly unique file we could run it through the FileProfile() function. (via the Defender API). This function spits out a bunch of info on the input file including global prevalence and Global First Seen. If the file is unique enough this may be an option to you.
Personally, alongside the many great fields it already pulls in and the particular field you requested I’d love to see “Org devices” aka Org prevalence as well.
This function is resource intensive so use it sparingly and only after as much filtering down as possible.
Good luck,
Dylan
DylanInfosec Thank you for your input. Unfortunately, the field does not exist in the Defender Advanced Hunting Schema. However, it does pull from analytics and goes under a different title.
I am still not entirely sure how to get these two to merge.
- Hi - my client hasn't opened up the API for me yet. I only have access to Hunting -> Advanced Hunting.
Is the cveFirstSeenTimestamp - only available via the API?
Is there an equivalent field I can find in Advanced Hunting?
Thanks again,
Mark - This is great! Thanks for following up on this with the info. Will definitely be using this in the near future.
Thank you,
Dylan- No problem. It takes a village sometimes!
