Query Details
Browser Extension Installed Extensions With The Most Required Permissions
Query
# Query the installed extensions with the most required permissions
----
### Defender For Endpoint
```
let PermissionInformation = DeviceTvmBrowserExtensionsKB
| where IsPermissionRequired == "true"
| summarize
TotalPermissions = dcount(PermissionName),
PermissionNames = make_set(PermissionName)
by ExtensionId
| where TotalPermissions > 3 // Change baseline if needed
| project ExtensionId, TotalPermissions, PermissionNames;
DeviceTvmBrowserExtensions
| join PermissionInformation on ExtensionId
| sort by TotalPermissions
| join DeviceInfo on DeviceId
| project
DeviceName,
BrowserName,
ExtensionName,
ExtensionRisk,
PermissionNames,
TotalPermissions
```
Explanation
This query retrieves information about installed extensions that require the most permissions. It first identifies the extensions that have more than 3 required permissions and then joins this information with the installed extensions on the extension ID. The results are sorted by the total number of permissions and then joined with device information. The final output includes the device name, browser name, extension name, extension risk, permission names, and total number of permissions.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceTvmBrowserExtensionsKBDeviceTvmBrowserExtensionsDeviceInfo
Keywords
DeviceTvmBrowserExtensionsKB,IsPermissionRequired,PermissionName,ExtensionId,TotalPermissions,PermissionNames,DeviceTvmBrowserExtensions,ExtensionName,ExtensionRisk,DeviceInfo,DeviceId,DeviceName,BrowserName
Operators
letwheresummarizedcountmake_setbyprojectjoinsort