cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FirstDetected Field - where can I find it in the Defender schema?

marktait19
Copper Contributor

‎Feb 17 2023 05:59 AM

‎Feb 17 2023 05:59 AM

FirstDetected Field - where can I find it in the Defender schema?

Hi - in Microsoft 365 Defender, when running Kusto queries - which table will I find the "First Detected" field against a device?

 

I can see it in the Device Summary page, but can't find it in any of the available tables in the schema.

 

Thanks for any advice,

 

Mark

511 Views
0 Likes
7 Replies
Reply
7 Replies
NazmulHassan

‎Apr 01 2024 11:21 AM

‎Apr 01 2024 11:21 AM

Re: FirstDetected Field - where can I find it in the Defender schema?

@marktait19, have you found anything on this?

0 Likes
Reply
dullinternet_1989

‎Apr 18 2024 11:28 AM

‎Apr 18 2024 11:28 AM

Re: FirstDetected Field - where can I find it in the Defender schema?

I would love to know if anyone has found anything on this. @NazmulHassan 

0 Likes
Reply
DylanInfosec

‎Apr 18 2024 08:40 PM

‎Apr 18 2024 08:40 PM

Re: FirstDetected Field - where can I find it in the Defender schema?

Hi @marktait19 and all,

I'm not sure this particular field exists within the Defender Advanced Hunting schema. Perhaps if there was a DeviceFileInfo table??

 

There may be something we can do in limited, albeit highly specific situations. On a particularly unique file we could run it through the FileProfile() function. (via the Defender API). This function spits out a bunch of info on the input file including global prevalence and Global First Seen. If the file is unique enough this may be an option to you.
Personally, alongside the many great fields it already pulls in and the particular field you requested I’d love to see “Org devices” aka Org prevalence as well.

 

This function is resource intensive so use it sparingly and only after as much filtering down as possible.

 

Good luck,

Dylan

0 Likes
Reply
dullinternet_1989

‎Apr 26 2024 08:57 AM

‎Apr 26 2024 08:57 AM

Re: FirstDetected Field - where can I find it in the Defender schema?

@DylanInfosec  Thank you for your input. Unfortunately, the field does not exist in the Defender Advanced Hunting Schema. However, it does pull from analytics and goes under a different title.

dullinternet_1989_0-1714147003418.png

I am still not entirely sure how to get these two to merge. 

1 Like
Reply
DylanInfosec

‎Apr 26 2024 06:50 PM

‎Apr 26 2024 06:50 PM

Re: FirstDetected Field - where can I find it in the Defender schema?

This is great! Thanks for following up on this with the info. Will definitely be using this in the near future.

Thank you,
Dylan
0 Likes
Reply
dullinternet_1989

‎Apr 27 2024 05:00 AM

‎Apr 27 2024 05:00 AM

Re: FirstDetected Field - where can I find it in the Defender schema?

No problem. It takes a village sometimes!
0 Likes
Reply
marktait19

‎Apr 29 2024 12:29 AM

‎Apr 29 2024 12:29 AM

Re: FirstDetected Field - where can I find it in the Defender schema?

Hi - my client hasn't opened up the API for me yet. I only have access to Hunting -> Advanced Hunting.

Is the cveFirstSeenTimestamp - only available via the API?

Is there an equivalent field I can find in Advanced Hunting?

Thanks again,

Mark
0 Likes
Reply