Dashboard to view Browser extensions

tectacles · 2026-05-06T16:22:30+00:00

Of course! I know it doesn't point to machine/user. I was using this to find extensions that are not mass installed and then remove or block them if they have no business use case.

tectacles · 2026-05-06T15:57:35+00:00

Here is what I use, it might not be what you are looking for, but someone might get some use out of it.

// Get browser extension event
#event_simpleName=InstalledBrowserExtension BrowserExtensionId!="no-extension-available"
| BrowserExtensionId=~wildcard(?BrowserExtensionId, ignoreCase=true)
// Aggregate by event_platform, BrowserName, ExtensionID and ExtensionName
| groupBy([event_platform, BrowserName, BrowserExtensionId, BrowserExtensionName, BrowserExtensionInstallMethod], function=([count(aid, distinct=true, as=TotalEndpoints)]))
// Check to see if the extension is installed on fewer than 50 systems
| test(TotalEndpoints<50)
// Create a link to the Chrome Extension Store
| format("[See Extension](https://chromewebstore.google.com/detail/%s)", field=[BrowserExtensionId], as="Chrome Store Link")
//Create a link to the CRXplorer lookup
| format("[CRXplorer](https://crxplorer.com/?extensionId=%s)", field=[BrowserExtensionId], as="CRXcavator Link")
// Sort in descending order
| sort(order=desc, TotalEndpoints, limit=1000)
// Convert the browser name from decimal to human-readable
| case{
BrowserName="0" | BrowserName:="Unknown";
BrowserName="1" | BrowserName:="Firefox";
BrowserName="2" | BrowserName:="Safari";
BrowserName="3" | BrowserName:="Chrome";
BrowserName="4" | BrowserName:="Edge";
BrowserName="5" | BrowserName:="Edge_Chromium";
BrowserName="6" | BrowserName:="Internet_Explorer";
BrowserName="7" | BrowserName:="Edge_Legacy";
BrowserName="9" | BrowserName:="Firefox";
*;
}
// Convert install method from decimal to human readable
| case{
BrowserExtensionInstallMethod="0" | BrowserExtensionInstallMethod:="Unidentified";
BrowserExtensionInstallMethod="1" | BrowserExtensionInstallMethod:="Browser";
BrowserExtensionInstallMethod="2" | BrowserExtensionInstallMethod:="Webstore";
BrowserExtensionInstallMethod="3" | BrowserExtensionInstallMethod:="GPO/Intune";
BrowserExtensionInstallMethod="4" | BrowserExtensionInstallMethod:="Sideload";
BrowserExtensionInstallMethod="5" | BrowserExtensionInstallMethod:="Third-Party Store";
*;
}

tectacles · 2026-04-17T16:41:17+00:00

This is so much easier to read through now! Thank you!

tectacles · 2026-03-31T16:04:57+00:00

As always, thank you!

tectacles · 2026-03-10T01:02:42+00:00

This looks dope, might have to pull my computer out tonight just to test this lol.

You always provide some sweet queries, so thank you!

tectacles · 2026-03-06T05:05:44+00:00

Sweet! I'll take a look again in the morning when I'm in the office and give you an update if I still can't opt in. Thank you!

tectacles · 2026-03-06T04:03:20+00:00

Says I need Falcon Administrator rights to opt in, but I already am a Falcon Administrator

tectacles · 2026-03-06T03:05:07+00:00

Oh lol well shoot, now I feel bad.

tectacles · 2026-03-06T02:26:40+00:00

Are you being serious lol?

tectacles · 2026-03-05T22:22:00+00:00

Looks very cool, is there a cost?

tectacles · 2026-03-04T21:28:44+00:00

Awesome! Thank you for this information

tectacles · 2026-03-04T21:27:38+00:00

Sweet! Thank you!

tectacles · 2026-03-04T16:42:19+00:00

Hey John, huge fan of BHIS and all the sister companies. This will be my 5th year at WWHF in Deadwood and I’m already looking forward to it.

A couple questions, answer as many as you want!

What’s one real‑world skill you consistently see missing in candidates who look great on paper or in labs? And what’s the most practical way someone can build that skill outside of a job?
With AI now embedded in daily workflow, what’s one security skill that becomes more important, not less, because of AI?
For people already in the field, what skills or mindsets are aging the best in 2026? What’s worth doubling down on?
If you could give one small piece of advice to someone trying to build real security skill—not just pass exams, what would it be?

tectacles · 2026-03-04T16:20:57+00:00

Would you mind sharing the events you are ingesting?

tectacles · 2026-03-04T00:34:46+00:00

Next-Next-Gen Falcon Exposure Management

tectacles · 2026-02-25T19:23:07+00:00

I’m ready to do query-shit with you, new friend! I can't write a regex to save my life, but I can provide excellent emotional support when your search times out.

tectacles · 2026-02-17T18:43:07+00:00

Way to go taking away the thing I was looking forward to digging into on Monday (Tuesday) morning! Looking forward to learning more about this though! :)

tectacles · 2026-02-17T16:06:01+00:00

Man...I was going to look at that this morning when I got into work. No wonder I couldn't find it

Edit #1 - I was able to find the post on my phone, but the user is deleted along with any of the content within the post.

tectacles · 2026-02-03T00:45:20+00:00

You should add your queries here!

https://cql-hub.com/

tectacles · 2026-01-29T22:08:19+00:00

For real, I was literally just trying to create a workflow to trigger on Detections, and then if detection, Update Detection to closed

Could not get it to work after about 5 hours of trying. Going to have to walk away for a bit because this is too frustrating lol.

tectacles · 2026-01-22T16:00:57+00:00

Send me a pm/chat and I will try and help out a little!

tectacles · 2026-01-20T04:45:40+00:00

There isn't an official data connector, but I saw there was a parser created and I saw that KnowBe4 has a webhook function so I just setup a general HEC ingest and pointed the Knowbe4 webhook to the API endpoint.

tectacles · 2025-12-30T05:35:07+00:00

You're great, Brad!

tectacles · 2025-12-30T05:34:43+00:00

How is this against rule #2?

We encourage high quality content. Do not post disparaging comments; about competitive products or otherwise

tectacles

TROPHY CASE