Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

Apple

Linux

Windows

ChromeOS

chrome_extensions

The chrome_extensions table maps browser extensions installed in Chromium browsers like Google Chrome, Edge, Brave, Opera, and Yandex.

Column	Type	Description
author	text	Optional extension author Only available on macOS, Windows, and Linux
browser_type	text	The browser type (Valid values: chrome, chromium, opera, yandex, brave, edge, edge_beta)
current_locale	text	Current locale supported by extension Only available on macOS, Windows, and Linux
default_locale	text	Default locale supported by extension Only available on macOS, Windows, and Linux
description	text	Extension-optional description
from_webstore	text	True if this extension was installed from the web store Only available on macOS, Windows, and Linux
identifier	text	Extension identifier, computed from its manifest. Empty in case of error.
install_time	text	Extension install time, in its original Webkit format Only available on macOS, Windows, and Linux
install_timestamp	bigint	Extension install time, converted to unix time Only available on macOS, Windows, and Linux
key	text	The extension key, from the manifest file Only available on macOS, Windows, and Linux
manifest_hash	text	The SHA256 hash of the manifest.json file Only available on macOS, Windows, and Linux
manifest_json	text	The manifest file of the extension Only available on macOS, Windows, and Linux
name	text	Extension display name
optional_permissions	text	The permissions optionally required by the extensions Only available on macOS, Windows, and Linux
optional_permissions_json	text	The JSON-encoded permissions optionally required by the extensions Only available on macOS, Windows, and Linux
path	text	Path to extension folder. Defaults to '' on ChromeOS
permissions	text	The permissions required by the extension
permissions_json	text	The JSON-encoded permissions required by the extension *Not returned in `SELECT FROM chrome_extensions`.**
persistent	integer	1 If extension is persistent across all tabs else 0 Only available on macOS, Windows, and Linux
profile	text	The name of the Chrome profile that contains this extension Only available on macOS, Windows, and Linux
profile_path	text	The profile path Only available on macOS, Windows, and Linux
referenced	bigint	1 if this extension is referenced by the Preferences file of the profile Only available on macOS, Windows, and Linux
referenced_identifier	text	Extension identifier, as specified by the preferences file. Empty if the extension is not in the profile. Only available on macOS, Windows, and Linux
state	text	1 if this extension is enabled
uid	bigint	The local user that owns the extension Only available on macOS, Windows, and Linux
update_url	text	Extension-supplied update URI
version	text	Extension-supplied version

Example

Because browser data lives in user space, this query uses a join to include a UID:

SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);

This query shows Chrome extensions that have full access to HTTPS browsing;

SELECT u.username, ce.name, ce.description, ce.version, ce.profile, ce.permissions FROM users u CROSS JOIN chrome_extensions ce USING (uid) WHERE ce.permissions LIKE '%%https://*/*%%';