Query Details

MDE - Local AI Agents Inventory

MDE Local AI Agents

Query

AgentsInfo
| where Platform == @"LocalAgents"
| extend AgentInfo = parse_json(RawAgentInfo).localAgentMetadata
| where isnotempty( AgentInfo)
| extend DeviceName = tostring(AgentInfo.deviceName)
| summarize Agents = make_set(Name), TotalAgents = dcount(Name,4) by DeviceName
| project DeviceName, TotalAgents, Agents

About this query

Explanation

This KQL query set is designed to inventory and analyze local AI agents detected by Microsoft Defender for Endpoint. It uses the AgentsInfo table to gather information about which devices have local AI agents installed and the distribution of these agents across devices. Here's a simple breakdown of each query:

  1. Devices with Local AI Agents:

    • This query identifies devices that have local AI agents installed.
    • It extracts and processes information from the AgentsInfo table to list each device's name, the total number of AI agents installed on it, and the names of these agents.
  2. AI Agents and Total Devices:

    • This query focuses on the AI agents themselves.
    • It determines how many devices each AI agent is installed on and lists the devices for each agent.
  3. MCP Servers:

    • This query identifies MCP (Management Control Point) servers associated with the local AI agents.
    • It extracts details such as the server name, type, and endpoint, and summarizes the devices connected to each MCP server.

Overall, these queries help in understanding the deployment and distribution of local AI agents within an organization's environment, providing insights into both device-level and agent-level inventories.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 19, 2026

Tables

AgentsInfo

Keywords

AgentsInfoDevicesPlatformAgentInfoDeviceNameNameMcpServersMCP_NameMCP_TypeMCP_Endpoint

Operators

AgentsInfowhereextendparse_jsonisnotemptytostringsummarizemake_setdcountprojectmv-expandcolumn_ifexists

Actions

GitHub