Query Details
# Top 100 devices with the most browser extensions installed
----
## Defender XDR
```KQL
DeviceTvmBrowserExtensions
| summarize
TotalExtensions = dcount(ExtensionId),
ExtensionNames = make_set(ExtensionName)
by DeviceId
| join kind=inner DeviceInfo on DeviceId
| project DeviceName, TotalExtensions, ExtensionNames
| top 100 by TotalExtensions
```
This query is designed to identify the top 100 devices with the most browser extensions installed. Here's a simple breakdown of what it does:
Data Source: It starts by accessing data from DeviceTvmBrowserExtensions, which contains information about browser extensions installed on devices.
Summarization: For each device, it calculates two things:
TotalExtensions: The total number of unique browser extensions installed, identified by their ExtensionId.ExtensionNames: A list of the names of these extensions.Joining Data: It then combines this information with another dataset, DeviceInfo, to get additional details about each device using the DeviceId.
Projection: The query selects (or projects) three pieces of information for each device:
DeviceName: The name of the device.TotalExtensions: The total count of extensions.ExtensionNames: The list of extension names.Ranking: Finally, it sorts the devices by the number of extensions installed and selects the top 100 devices with the most extensions.
In summary, the query identifies and lists the top 100 devices with the highest number of browser extensions, providing both the count and the names of these extensions for each device.

Bert-Jan Pals
Released: January 18, 2026
Tables
Keywords
Operators