KQL Search

This KQL (Kusto Query Language) query is designed to identify potential security threats related to the installation of Chrome extensions and the use of PowerShell on devices. Here's a simplified breakdown of what the query does:

1. Identify Devices with New Chrome Extensions:

   • The first part of the query (let EPwithNewExt = ...) looks at DeviceFileEvents to find instances where a file with the extension ".crx" (which is a Chrome extension file) has been created.
   • It collects a list of distinct device names (DeviceName) where these new Chrome extensions have been added.

2. Detect PowerShell Usage Related to Extensions:

   • The second part of the query (DeviceProcessEvents ...) examines DeviceProcessEvents to find processes where either the FileName or InitiatingProcessFileName is "powershell.exe".
   • It further filters these events to find instances where the ProcessCommandLine includes the term "load-extension", indicating that PowerShell is being used to load a Chrome extension.
   • Finally, it checks if these PowerShell events occurred on any of the devices identified in the first step (those with new Chrome extensions).

In summary, this query is used to detect suspicious activity where new Chrome extensions are installed, and PowerShell is used to load these extensions, potentially indicating malicious behavior or a security threat.