Query Details

Browser Extension Downloads Using Device File Events

Query

let UnsanctionedExtensions = externaldata (ExtensionID: string) [@'https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Intune/Intune%20Browser%20Extension_IDs_the_user_should_be_prevented_from_installing.csv'] with (format=txt);
let RiskyExtensionsWithNames = externaldata (ExtensionID: string,ExtensionURL:string, ExtensionName:string) [@'https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Intune/Unsanctioned_extensions_with_names.csv'] with (format=csv, ignoreFirstRecord = true);
DeviceFileEvents
| where TimeGenerated > ago(90d)
| where ActionType == "FileCreated"
| where FileName endswith ".crx"
//| where InitiatingProcessFileName == "chrome.exe" //if you need to filter down to chrome vs edge
| where FolderPath contains "Webstore Downloads"
| extend ExtensionID = trim_end(@"_\d{2,6}.crx", FileName)
| extend ExtensionURL = strcat("https://chrome.google.com/webstore/detail/",ExtensionID)
| extend EdgeExtensionURL = strcat("https://microsoftedge.microsoft.com/addons/detail/",ExtensionID)
| extend RiskyExtension = iff((ExtensionID in~(UnsanctionedExtensions)), "Yes","N/A")
| summarize count() by ExtensionID,ExtensionURL, EdgeExtensionURL, RiskyExtension
//| where ExtensionID != "kbfnbcaeplbcioakkpcpgfkobkghlhen" //Grammarly
//| where RiskyExtension == "Yes"
| join kind=leftouter RiskyExtensionsWithNames on ExtensionID //if name is present in the risky list present it
| project-away ExtensionID1,ExtensionURL1

Explanation

This KQL (Kusto Query Language) query is designed to analyze and identify potentially risky browser extensions that have been downloaded onto devices within the last 90 days. Here's a simplified breakdown of what the query does:

  1. Load External Data:

    • It imports two datasets from external CSV files hosted on GitHub:
      • UnsanctionedExtensions: A list of extension IDs that should not be installed.
      • RiskyExtensionsWithNames: A list of extension IDs along with their URLs and names that are considered risky.
  2. Filter Device File Events:

    • It looks at DeviceFileEvents to find events where files were created in the last 90 days.
    • Specifically, it filters for files with names ending in ".crx", which are typically Chrome extension files.
    • It further filters for files downloaded from "Webstore Downloads" folders.
  3. Extract and Construct URLs:

    • It extracts the ExtensionID from the file name.
    • It constructs URLs for both Chrome and Edge web stores using the ExtensionID.
  4. Identify Risky Extensions:

    • It checks if the ExtensionID is in the UnsanctionedExtensions list and labels it as "Yes" for risky, otherwise "N/A".
  5. Summarize Data:

    • It summarizes the data by counting occurrences of each ExtensionID, along with their constructed URLs and risk status.
  6. Join with Risky Extensions Names:

    • It performs a left outer join with the RiskyExtensionsWithNames dataset to add extension names if they are present in the risky list.
  7. Project Results:

    • It removes duplicate or unnecessary columns from the final output.

This query helps in monitoring and managing browser extensions by identifying and summarizing potentially risky extensions downloaded onto devices, aiding in security and compliance efforts.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 22, 2025

Tables

DeviceFileEvents

Keywords

ExtensionsDevicesIntuneFileEventsWebstoreDownloadsChromeEdge

Operators

letexternaldatawithwhereagoendswithcontainsextendtrim_endstrcatiffin~summarizebyjoinkind=leftouteronproject-away

Actions

GitHub