KQL Search

Query Details

HomeAI ToolsDevice Query

Browser Extension Downloads Using Device File Events

Query

let UnsanctionedExtensions = externaldata (ExtensionID: string) [@'https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Intune/Intune%20Browser%20Extension_IDs_the_user_should_be_prevented_from_installing.csv'] with (format=txt);
DeviceFileEvents
| where TimeGenerated > ago(90d)
| where ActionType == "FileCreated"
| where FileName endswith ".crx"
//| where InitiatingProcessFileName == "chrome.exe" //if you need to filter down to chrome vs edge
| where FolderPath contains "Webstore Downloads"
| extend ExtensionID = trim_end(@"_\d{2,6}.crx", FileName)
| extend ExtensionURL = strcat("https://chrome.google.com/webstore/detail/",ExtensionID)
| extend EdgeExtensionURL = strcat("https://microsoftedge.microsoft.com/addons/detail/",ExtensionID)
| extend RiskyExtension = iff((ExtensionID in~(UnsanctionedExtensions)), "Yes","N/A")
| summarize count() by ExtensionID,ExtensionURL, EdgeExtensionURL, RiskyExtension
//| where ExtensionID != "kbfnbcaeplbcioakkpcpgfkobkghlhen" //Grammarly
//| where RiskyExtension == "Yes"

Explanation

This KQL query is designed to identify and summarize potentially unsanctioned browser extensions that have been installed on devices within the last 90 days. Here's a breakdown of what the query does:

  1. Load Unsanctioned Extensions List: It imports a list of unsanctioned browser extension IDs from an external CSV file hosted on GitHub.

  2. Filter Device File Events: It examines device file events to find instances where files with a ".crx" extension (typically Chrome or Edge browser extensions) have been created in the last 90 days.

  3. Specify Download Source: It further filters these events to those where the file was downloaded from a "Webstore Downloads" folder, indicating it was likely installed from a web store.

  4. Extract Extension ID: It extracts the extension ID from the file name by removing the trailing version number and ".crx" extension.

  5. Generate Extension URLs: It constructs URLs for both Chrome and Edge web stores using the extracted extension ID.

  6. Identify Risky Extensions: It checks if the extension ID is in the list of unsanctioned extensions and labels it as "Yes" for risky or "N/A" otherwise.

  7. Summarize Results: It summarizes the data by counting occurrences of each extension ID, along with their corresponding URLs and risk status.

Optional lines (commented out) allow further filtering by browser type (Chrome) or excluding specific extensions like Grammarly, and focusing only on risky extensions.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 11, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsIntuneUserExtensionIDExtensionURLEdgeExtensionURLRiskyExtension

Operators

letexternaldatawithwhere>ago==endswithcontainsextendtrim_endstrcatiffin~summarizeby

Actions