Note that running all time searches is not a great idea, you would be better off collecting 'first time seen' events to either a summary index or a lookup file to add that into the results, but to achieve the result you are after you can do

index="firewall" "confidence_level=high" action=Detect
|stats count by protection_name
| append [
  search index="firewall" "confidence_level=high" action=Detect earliest=0 latest=now
  |stats earliest_time(protection_name) as firstEvent by protection_name
  | eval firstEvent=strftime(firstEvent, "%F %T.%Q")
]
| stats values(*) as * by protection_name

Note that depending on your data volume, the all time search may be really slow and I recommend looking at collecting the summary information as for example a saved search that runs regularly, or if you do not expect to see new protection_names very often, just collect the information to a lookup occasionally, e.g.

index="firewall" "confidence_level=high" action=Detect earliest=0 latest=now
| stats earliest_time(protection_name) as firstEvent by protection_name
| sort protection_name
| outputlookup protection_names.csv

to collect the data then in the first search rather than doing the append and the last stats, you can do

| lookup protection_names.csv protection_name
| eval firstEvent=strftime(firstEvent,"%F %T.%Q")

 Note that keeping the time value in the lookup rather than stringifying it allows you to calculate with time and format when necessary.

Hope this helps.