06-17-2024 05:52 AM
Hi All,
Looking for an XQL query to detect extensions installed from an applications marketplace to use within the application. For eg. someone installing "github actions" extension from the azure marketplace.
06-19-2024 06:45 AM
Hi @ShubhamT281, thanks for reaching us using the Live Community.
That could be possible if the application creates a file in disk when a new application/plugin is installed. For example in Chrome, when an extension is installed a file is created on a specific folder.
Then an XQL Query looking for the .exe process with a file creation on the folder, like this:
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
| filter actor_process_image_name = "app.exe"
If this post answers your question, please mark it as the solution.
06-24-2024 04:10 AM
Hi @jmazzeo
Unfortunately this is not the case with the extension that I am looking to search for, the extension is downloaded from the marketplace of the application and hence is not something browser related.
Is it possible to detect that via XDR ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
