KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Local AI Agents

Query

# MDE - Local AI Agents Inventory

![KQL](https://img.shields.io/badge/language-KQL-blue.svg)
![Status: Testing](https://img.shields.io/badge/status-testing-blue.svg)

## Query Information

### Description

These KQL queries inventory local AI agents detected by Microsoft Defender for Endpoint using the `AgentsInfo` table. The queries surface which devices have local AI agents installed and, conversely, which AI agents are present across how many devices, helping identify the spread and distribution of local AI agent deployments in your environment.

#### References

### Author

- **Alex Verboon**

## KQL Query

Devices with Local AI Agents

```kql
AgentsInfo
| where Platform == @"LocalAgents"
| extend AgentInfo = parse_json(RawAgentInfo).localAgentMetadata
| where isnotempty( AgentInfo)
| extend DeviceName = tostring(AgentInfo.deviceName)
| summarize Agents = make_set(Name), TotalAgents = dcount(Name,4) by DeviceName
| project DeviceName, TotalAgents, Agents
```

AI Agents and total devices

```kql
AgentsInfo
| where Platform == @"LocalAgents"
| extend AgentInfo = parse_json(RawAgentInfo).localAgentMetadata
| where isnotempty( AgentInfo)
| extend DeviceName = tostring(AgentInfo.deviceName)
| summarize Devices = make_set(DeviceName), TotalDevices = dcount(DeviceName,4) by Name
| project Agent=Name, TotalDevices, Devices
```

Explanation

This KQL query set is designed to analyze and inventory local AI agents detected by Microsoft Defender for Endpoint. It uses the AgentsInfo table to provide insights into which devices have local AI agents installed and how these agents are distributed across devices in your environment. Here's a simple breakdown of the two queries:

  1. Devices with Local AI Agents:

    • This query identifies devices that have local AI agents installed.
    • It filters the data to only include entries where the platform is "LocalAgents."
    • It extracts and parses the agent information from the raw data.
    • It then groups the data by device name, listing all AI agents found on each device and counting the total number of different agents per device.
    • The result shows each device's name, the total number of AI agents on it, and the list of those agents.

  2. AI Agents and Total Devices:

    • This query focuses on the AI agents themselves and how many devices each agent is installed on.
    • Similar to the first query, it filters for "LocalAgents" and extracts the relevant agent information.
    • It groups the data by agent name, listing all devices where each agent is installed and counting the total number of devices per agent.
    • The result displays each agent's name, the total number of devices it is installed on, and the list of those devices.

Overall, these queries help you understand the distribution and prevalence of local AI agents across devices in your network.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 12, 2026

Tables

AgentsInfo

Keywords

Devices

Operators

whereextendparse_jsonisnotemptytostringsummarizemake_setdcountproject

Actions