Query Details

Browser Extension Top100most Permissive Extensions Installed

Query

# Top 100 critical browser extensions with the most permissions required
----
## Defender XDR
```KQL
DeviceTvmBrowserExtensions
| where ExtensionRisk == "Critical"
| summarize TotalExtentions = count(), ExtentionNames = make_set(ExtensionName) by DeviceId
| join kind=leftouter DeviceInfo on DeviceId
| project DeviceName, TotalExtentions, ExtentionNames
| top 100 by TotalExtentions
```


Explanation

This query is designed to identify the top 100 browser extensions that are considered "Critical" in terms of risk and require the most permissions. Here's a breakdown of what the query does:

  1. Data Source: It starts by looking at the DeviceTvmBrowserExtensions table, which contains information about browser extensions on devices.

  2. Filter: It filters the data to only include extensions that have a risk level labeled as "Critical".

  3. Summarize: For each device, it counts the total number of critical extensions and creates a list of the names of these extensions.

  4. Join: It then joins this summarized data with the DeviceInfo table to get additional information about each device.

  5. Project: The query selects specific columns to display: the device name, the total number of critical extensions, and the list of extension names.

  6. Top 100: Finally, it sorts the results to show the top 100 devices with the most critical extensions, based on the total number of extensions.

In simple terms, this query finds and lists the top 100 devices that have the most critical browser extensions installed, along with the names of those extensions.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 18, 2026

Tables

DeviceTvmBrowserExtensionsDeviceInfo

Keywords

DeviceTvmBrowserExtensionsExtensionRiskExtensionNameDeviceIdDeviceInfoDeviceName

Operators

wheresummarizecount()make_set()join kind=leftouterprojecttop

Actions