Query Details

Orphaned Security Agent Detection

Query

AgentsInfo
| summarize arg_max(Timestamp, *) by AgentId
| where PublishedStatus == "Published"
| where Platform != "LocalAgents"
| mv-expand Owner = Owners
| extend OwnerObjectId = tolower(tostring(Owner.id))
| where isnotempty(OwnerObjectId)
| join kind=leftanti (
    IdentityInfo
    | summarize arg_max(Timestamp, *) by AccountObjectId
    | extend AccountObjectId = tolower(tostring(AccountObjectId))
) on $left.OwnerObjectId == $right.AccountObjectId
| distinct AgentId, AgentName = Name, OwnerObjectId, Platform, LifecycleStatus

About this query

Orphaned Security Agent Detection

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink

Description

Detects security agents that are in a 'Published' status but lack an associated valid identity or owner in the IdentityInfo dataset. This identifies unmanaged or orphaned agents that may have been decommissioned, misconfigured, or potentially represent unauthorized infrastructure.

Author <Optional>

References

Defender XDR

Explanation

This query is designed to identify "orphaned" security agents within a system. These are agents that are marked as "Published" but do not have a valid owner or identity associated with them in the IdentityInfo dataset. This situation can occur if the agents have been decommissioned, misconfigured, or are potentially unauthorized.

Here's a breakdown of what the query does:

  1. Data Source: It starts by pulling data from the AgentsInfo table, which contains information about security agents.

  2. Latest Record Selection: It selects the most recent record for each agent using the arg_max function, which helps in getting the latest status of each agent by AgentId.

  3. Filter Conditions:

    • It filters agents that have a PublishedStatus of "Published".
    • It excludes agents that are on the "LocalAgents" platform.
  4. Owner Expansion: It expands the list of owners for each agent and converts the owner ID to lowercase for consistency.

  5. Join Operation:

    • It performs a left anti join with the IdentityInfo table to find agents whose owner IDs do not match any account IDs in the IdentityInfo dataset. This step identifies agents without a valid owner.
  6. Result Selection: Finally, it selects distinct records of orphaned agents, including their AgentId, AgentName, OwnerObjectId, Platform, and LifecycleStatus.

In simple terms, this query helps in detecting security agents that are active but not properly managed or owned, which could be a security risk.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: July 6, 2026

Tables

AgentsInfoIdentityInfo

Keywords

AgentsInfoIdentityInfoAgentIdOwnerObjectIdPlatformLifecycleStatusAgentNameOwners

Operators

summarizearg_maxbywheremv-expandextendtolowertostringisnotemptyjoinkind=leftantiondistinct

Actions

GitHub