Chrome Extension Installed By User

Cortex XDR Analytics Alert Reference by data source

Product

Cortex XDR

Last date published

2026-05-18

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Google Workspace Audit Logs
Detection Modules	Identity Threat Module
Detector Tags	Google Workspace
ATT&CK Tactic	Initial Access (TA0001) Persistence (TA0003)
ATT&CK Technique	Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) Software Extensions: Browser Extensions (T1176.001)
Severity	Informational

Description

A Chrome extension was installed or updated by a Google Workspace user.

Attacker's Goals

Adversaries may leverage browser extensions installation to gain Initial Access and Persistence, enabling them to intercept credentials and hijack active web sessions.

Investigative actions

Review the extension installed, it's OAuth scopes, reputation and permissions.
Analyze subsequent network traffic from the user's device or browser for connections to newly registered domains.
Investigate the source IP and identity for previous malicious activity or anomalies.