Query Details
# Top 100 critical browser extensions with the most permissions required ---- ## Defender XDR ```KQL DeviceTvmBrowserExtensions | where ExtensionRisk == "Critical" | summarize TotalExtentions = count(), ExtentionNames = make_set(ExtensionName) by DeviceId | join kind=leftouter DeviceInfo on DeviceId | project DeviceName, TotalExtentions, ExtentionNames | top 100 by TotalExtentions ```
This query is designed to identify the top 100 browser extensions that are considered "Critical" in terms of risk and require the most permissions. Here's a breakdown of what the query does:
Data Source: It starts by looking at the DeviceTvmBrowserExtensions table, which contains information about browser extensions on devices.
Filter: It filters the data to only include extensions that have a risk level labeled as "Critical".
Summarize: For each device, it counts the total number of critical extensions and creates a list of the names of these extensions.
Join: It then joins this summarized data with the DeviceInfo table to get additional information about each device.
Project: The query selects specific columns to display: the device name, the total number of critical extensions, and the list of extension names.
Top 100: Finally, it sorts the results to show the top 100 devices with the most critical extensions, based on the total number of extensions.
In simple terms, this query finds and lists the top 100 devices that have the most critical browser extensions installed, along with the names of those extensions.

Bert-Jan Pals
Released: January 18, 2026
Tables
Keywords
Operators