02-18-2026 04:27 AM
Has anyone ever configured their environment to detect on unauthorized or unsupported browser extensions? Or conduct a threat hunt based on known facts?
We've seen some slip through the cracks and I know Cortex doesn't natively detect abused or malicious extensions. Any XQL ideas out there perhaps?
02-18-2026 05:58 AM
Hello @CraigV123 ,
Greetings for the day.
I would like to inform you that Cortex XDR does not natively provide a dashboard inventory or direct blocking of browser extensions by ID/name, you can configure detection and conduct threat hunts using XQL and existing behavioral modules.
-Cortex XDR operates primarily at the Operating System (OS) level. Because browser extensions run within the browser’s internal sandbox environment and do not typically create independent OS processes, the agent lacks native visibility into the internal list of loaded extensions.
-Direct management or blocking of specific extension IDs is a recognized product limitation, and several feature requests (CXDR-I-1134 and CXDR-I-146) exist to address this in future updates.
You can hunt for unauthorized extensions by searching for file activity in standard extension directories or extracting extension IDs from file paths.
If you have a list of malicious or unauthorized extension IDs, you can search for their presence in the file system logs.
dataset = xdr_data
| filter file_path contains "Chrome\\User Data" and file_path contains "[INSERT_EXTENSION_ID_HERE]"
| dedup agent_hostnameYou can use regular expressions to extract 32-character extension IDs from file path events to create a list of what is running in your environment.
config case_sensitive = false
| dataset = xdr_data
| filter event_type = FILE and event_sub_type != FILE_REMOVE
| filter action_file_path contains "Extensions"
| alter extension_id = arrayindex(regextract(action_file_path, "(\w{32})"), 0)
| filter extension_id != null
| stats count() by agent_hostname, extension_idTo identify the name and details of an extension found via hunting, you can use the File Search and Destroy feature or Live Terminal to locate the manifest.json file associated with the identified ID:
C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Extensions\<extension_id>\<version>\manifest.jsonCortex XDR includes built-in mechanisms to catch extensions when they exhibit malicious behavior:
Analytics Alerts: The platform can trigger the alert "A browser extension was installed or loaded in an uncommon way" based on suspicious installation methods (e.g., loading via special command-line arguments or LOLBIN processes).
Behavioral Threat Protection (BTP): If an extension attempts to drop a payload, steal credentials, or perform process injection, BTP and Anti-Exploit modules will block the action at the process level.
For proactive enforcement, it is recommended to supplement Cortex XDR with administrative tools designed for application-layer control:
Windows: Use Group Policy Objects (GPO) to configure the Extension Install Blocklist or Allowlist for Chrome and Edge.
macOS: Use Mobile Device Management (MDM) profiles to push browser configuration payloads.
Enterprise Browsers: Consider solutions such as Prisma Access Browser, which provide granular application-layer visibility into extension environments.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
