Query the installed extensions with the most required permissions Defender XDR let PermissionInformation = DeviceTvmBrowserExtensionsKB | where IsPermissionRequired == "true" | summarize TotalPermissions = dcount(PermissionName), PermissionNames = make_set(PermissionName) by ExtensionId | where TotalPermissions > 3 // Change baseline if needed | project ExtensionId, TotalPermissions, PermissionNames; DeviceTvmBrowserExtensions | join kind=inner PermissionInformation on ExtensionId | sort by TotalPermissions | join kind=leftouter (DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId | project DeviceId, DeviceName, OSPlatform) on DeviceId | project DeviceId, OSPlatform, DeviceName, BrowserName, ExtensionName, ExtensionRisk, PermissionNames, TotalPermissions