Query Details

Query the installed extensions with the most required permissions

Browser Extension Installed Extensions With The Most Required Permissions

Query

let PermissionInformation = DeviceTvmBrowserExtensionsKB
     | where IsPermissionRequired == "true"
     | summarize
         TotalPermissions = dcount(PermissionName),
         PermissionNames = make_set(PermissionName)
         by ExtensionId
     | where TotalPermissions > 3 // Change baseline if needed
     | project ExtensionId, TotalPermissions, PermissionNames;
DeviceTvmBrowserExtensions
| join kind=inner PermissionInformation on ExtensionId
| sort by TotalPermissions
| join kind=leftouter (DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId | project DeviceId, DeviceName, OSPlatform)  on DeviceId
| project DeviceId, OSPlatform, DeviceName, BrowserName, ExtensionName, ExtensionRisk, PermissionNames, TotalPermissions

About this query

Query the installed extensions with the most required permissions


Defender XDR

Explanation

This query is designed to identify and list browser extensions installed on devices that require a significant number of permissions, specifically more than three. Here's a breakdown of what the query does in simple terms:

  1. Identify Extensions with Required Permissions:

    • It starts by looking at a dataset of browser extensions (DeviceTvmBrowserExtensionsKB) and filters for extensions where permissions are marked as required (IsPermissionRequired == "true").
    • It then counts the number of unique permissions each extension requires and creates a list of these permissions for each extension (TotalPermissions and PermissionNames).
  2. Filter Extensions with High Permission Requirements:

    • The query filters out extensions that require more than three permissions, which can be adjusted if needed.
  3. Join with Installed Extensions:

    • It then matches these filtered extensions with the actual extensions installed on devices (DeviceTvmBrowserExtensions) to get more details about them.
  4. Sort and Enrich with Device Information:

    • The results are sorted by the total number of permissions required.
    • Additional device information is added by joining with another dataset (DeviceInfo) to include details like the device name and operating system platform.
  5. Final Output:

    • The final output includes details such as the device ID, operating system platform, device name, browser name, extension name, extension risk level, the list of required permissions, and the total number of permissions required.

In summary, this query helps identify potentially risky browser extensions that require a large number of permissions, providing insights into which devices have these extensions installed and additional context about the devices themselves.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 18, 2026

Tables

DeviceTvmBrowserExtensionsKBDeviceTvmBrowserExtensionsDeviceInfo

Keywords

DeviceTvmBrowserExtensionsPermissionNameExtensionIdInfoOSPlatformRisk

Operators

let|wheresummarizedcountmake_setbyprojectjoinkind=innersort bykind=leftouterarg_max

Actions

GitHub