A Chrome extension that detects the alert title on the page you're looking at, identifies the source (CrowdStrike Falcon, Azure Sentinel, Microsoft Defender, or a Halo ticket carrying a Splunk alert via the Halo Integrator), and serves your saved investigation queries for that alert. If no query exists yet, you save one and it's served automatically next time.
Note: Direct Splunk console support was removed because alert-title detection isn't reliable inside the Splunk alert UI. Splunk alerts that arrive in Halo via the Halo Integrator are fully supported through the
halo::source.
Stop fishing for the right KQL / FQL / SPL every time the same alert lands. Build your own playbook library, locally, keyed to the alert title in whichever tool you happen to be looking at.
- Download / unzip this folder somewhere stable on disk.
- Open
chrome://extensionsin Chrome (or Edge). - Toggle Developer mode on (top right).
- Click Load unpacked and point it at this folder.
- Pin the extension from the puzzle icon for one-click access.
- Open an alert detail page in a supported tool.
- Click the extension icon. It will:
- Identify the source from the URL.
- Parse the alert title from the DOM.
- Look up
<source>::<normalized-title>in local storage.
- If queries exist for that alert, you see them with one-click COPY. If not, click Add query to create the first one.
Standard Chrome popups close the moment you click anywhere else. To keep the helper open while you pivot from an alert into Advanced Hunting / event view, click DETACH in the top bar. The UI re-opens as a standalone window that:
- Stays open until you close it.
- Is sticky: once an alert is detected, the alert title and queries stay
visible no matter where you navigate, so you can copy the query into
Advanced Hunting (or anywhere else) without losing context. A
PINNEDindicator next to the rescan link makes this obvious. - The
SOURCErow shows which tab the detection was taken from. - When you want to update to a different alert, click rescan and it will re-detect against whichever normal browser tab is currently focused.
Position the window on a second monitor or off to the side. It does not steal focus from your other browser tabs.
- Titles are normalised before storage: leading emoji / symbols are stripped,
and trailing rule mode tags like
(Live),(Test),[Production]are removed. This means an alert calledMultiple failed user log on attempts to an app (Live)matchesMultiple failed user log on attempts to an app (Test)in storage. The display still shows the full original. - The storage key is namespaced by source (
crowdstrike::...,halo::...,sentinel::...,defender::...) so identical titles across products do not collide. - If detection picks the wrong heading, click edit title in the popup, paste or correct the title, choose the source, hit Apply. The corrected title is what gets stored.
Inside queries, use double-curly placeholders for entities the analyst must fill in at triage time:
index=auth EventID=4625
| where user="{{USER}}" AND src_ip="{{IP}}"
| stats count by host, user
Supported chips in the editor: {{USER}}, {{EMAIL}}, {{HOST}}, {{IP}},
{{URL}}, {{DOMAIN}}, {{HASH}}, {{FILE}}, {{PROCESS}},
{{NETMSGID}}, {{TIME}}. You can also type any uppercase token yourself,
e.g. {{SUBJECT}}, {{PORT}}, {{SENDER}}; the editor highlights every
{{...}} token regardless of whether there is a chip for it.
One alert can hold several queries (e.g. Triage, Deep dive, User context, Last 24h on this host). The label is shown at the top of each card.
- EXPORT downloads your full library as JSON. Share it with the team or back it up.
- IMPORT merges a JSON file into your existing library. On key conflict,
query entries are de-duplicated by
label + queryso re-importing is safe.
The extension covers two categories: SIEMs (where alerts are read in their native console) and ticketing systems that carry SIEM alerts through to analysts (currently Halo PSA, where the Halo Integrator surfaces Splunk alerts as tickets).
| Platform | Type | Hostname pattern |
|---|---|---|
| CrowdStrike Falcon | SIEM | *.crowdstrike.com |
| Azure Sentinel | SIEM | portal.azure.com |
| Microsoft Defender | SIEM | security.microsoft.com |
| Halo PSA | Ticketing (Splunk alerts) | *.halopsa.com |
Halo support is for tenants where Splunk alerts are delivered into Halo
tickets via the Halo Integrator. The helper reads the ticket title from the
structured read-value field, strips the Splunk Alert: ... Alert - wrapper
that the Integrator adds, and stores queries under a halo:: key. So an
alert read in Halo with its corresponding Splunk SPL saved against it works
seamlessly: click DETACH, copy the SPL, pivot to Splunk, run it; the helper
stays pinned on the Halo ticket throughout.
For any other page you can still use the addon by clicking edit title and
selecting Other.
activeTabandscripting: detector runs on the active tab when invoked.tabs: needed in detached mode to see which tab is currently focused so rescan can target the right page.host_permissionson the supported platform domains: needed so the detector can be injected into those tabs without requiring a fresh per-click gesture each time. No other sites are touched.storage: the library is kept inchrome.storage.local. Nothing leaves your browser. No telemetry.
manifest.json Manifest v3, minimal permissions
popup.html UI markup
popup.css Dark-themed terminal-inspired styling
popup.js Detection, normalisation, storage, UI
icons/ Extension icons (16/32/48/128)
If your tenant's UI uses non-standard markup and detection misfires, the
selectors live in detectAlertInPage() at the top of popup.js. Each
platform block has a document.querySelectorAll(...) you can extend with
selectors specific to your build.