Browser Extension Downloads Using Device File Events
Query
let UnsanctionedExtensions = externaldata (ExtensionID: string) [@'https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Intune/Intune%20Browser%20Extension_IDs_the_user_should_be_prevented_from_installing.csv'] with (format=txt);
let RiskyExtensionsWithNames = externaldata (ExtensionID: string,ExtensionURL:string, ExtensionName:string) [@'https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Intune/Unsanctioned_extensions_with_names.csv'] with (format=csv, ignoreFirstRecord = true);
DeviceFileEvents
| where TimeGenerated > ago(90d)
| where ActionType == "FileCreated"
| where FileName endswith ".crx"
//| where InitiatingProcessFileName == "chrome.exe" //if you need to filter down to chrome vs edge
| where FolderPath contains "Webstore Downloads"
| extend ExtensionID = trim_end(@"_\d{2,6}.crx", FileName)
| extend ExtensionURL = strcat("https://chrome.google.com/webstore/detail/",ExtensionID)
| extend EdgeExtensionURL = strcat("https://microsoftedge.microsoft.com/addons/detail/",ExtensionID)
| extend RiskyExtension = iff((ExtensionID in~(UnsanctionedExtensions)), "Yes","N/A")
| summarize count() by ExtensionID,ExtensionURL, EdgeExtensionURL, RiskyExtension
//| where ExtensionID != "kbfnbcaeplbcioakkpcpgfkobkghlhen" //Grammarly
//| where RiskyExtension == "Yes"
| join kind=leftouter RiskyExtensionsWithNames on ExtensionID //if name is present in the risky list present it
| project-away ExtensionID1,ExtensionURL1Explanation
This KQL (Kusto Query Language) query is designed to analyze and identify potentially risky browser extensions that have been downloaded onto devices within the last 90 days. Here's a simplified breakdown of what the query does:
-
Load External Data:
- It imports two datasets from external CSV files hosted on GitHub:
UnsanctionedExtensions: A list of extension IDs that should not be installed.RiskyExtensionsWithNames: A list of extension IDs along with their URLs and names that are considered risky.
- It imports two datasets from external CSV files hosted on GitHub:
-
Filter Device File Events:
- It looks at
DeviceFileEventsto find events where files were created in the last 90 days. - Specifically, it filters for files with names ending in ".crx", which are typically Chrome extension files.
- It further filters for files downloaded from "Webstore Downloads" folders.
- It looks at
-
Extract and Construct URLs:
- It extracts the
ExtensionIDfrom the file name. - It constructs URLs for both Chrome and Edge web stores using the
ExtensionID.
- It extracts the
-
Identify Risky Extensions:
- It checks if the
ExtensionIDis in theUnsanctionedExtensionslist and labels it as "Yes" for risky, otherwise "N/A".
- It checks if the
-
Summarize Data:
- It summarizes the data by counting occurrences of each
ExtensionID, along with their constructed URLs and risk status.
- It summarizes the data by counting occurrences of each
-
Join with Risky Extensions Names:
- It performs a left outer join with the
RiskyExtensionsWithNamesdataset to add extension names if they are present in the risky list.
- It performs a left outer join with the
-
Project Results:
- It removes duplicate or unnecessary columns from the final output.
This query helps in monitoring and managing browser extensions by identifying and summarizing potentially risky extensions downloaded onto devices, aiding in security and compliance efforts.
Details

Jay Kerai
Released: February 22, 2025
Tables
DeviceFileEvents
Keywords
ExtensionsDevicesIntuneFileEventsWebstoreDownloadsChromeEdge
Operators
letexternaldatawithwhereagoendswithcontainsextendtrim_endstrcatiffin~summarizebyjoinkind=leftouteronproject-away