EXPLORE
Sign In
← Back to Explore
kqlHunting

Query the installed extensions with the most required permissions

----

Detection Query

let PermissionInformation = DeviceTvmBrowserExtensionsKB
     | where IsPermissionRequired == "true"
     | summarize
         TotalPermissions = dcount(PermissionName),
         PermissionNames = make_set(PermissionName)
         by ExtensionId
     | where TotalPermissions > 3 // Change baseline if needed
     | project ExtensionId, TotalPermissions, PermissionNames;
DeviceTvmBrowserExtensions
| join kind=inner PermissionInformation on ExtensionId
| sort by TotalPermissions
| join kind=leftouter (DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId | project DeviceId, DeviceName, OSPlatform)  on DeviceId
| project DeviceId, OSPlatform, DeviceName, BrowserName, ExtensionName, ExtensionRisk, PermissionNames, TotalPermissions

Data Sources

DeviceInfo

Platforms

windowsmicrosoft-defender

Tags

vulnerability-management
Raw Content
# Query the installed extensions with the most required permissions
----
## Defender XDR
```KQL
let PermissionInformation = DeviceTvmBrowserExtensionsKB
     | where IsPermissionRequired == "true"
     | summarize
         TotalPermissions = dcount(PermissionName),
         PermissionNames = make_set(PermissionName)
         by ExtensionId
     | where TotalPermissions > 3 // Change baseline if needed
     | project ExtensionId, TotalPermissions, PermissionNames;
DeviceTvmBrowserExtensions
| join kind=inner PermissionInformation on ExtensionId
| sort by TotalPermissions
| join kind=leftouter (DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId | project DeviceId, DeviceName, OSPlatform)  on DeviceId
| project DeviceId, OSPlatform, DeviceName, BrowserName, ExtensionName, ExtensionRisk, PermissionNames, TotalPermissions
```