Orphaned Security Agent Detection
Query
AgentsInfo
| summarize arg_max(Timestamp, *) by AgentId
| where PublishedStatus == "Published"
| where Platform != "LocalAgents"
| mv-expand Owner = Owners
| extend OwnerObjectId = tolower(tostring(Owner.id))
| where isnotempty(OwnerObjectId)
| join kind=leftanti (
IdentityInfo
| summarize arg_max(Timestamp, *) by AccountObjectId
| extend AccountObjectId = tolower(tostring(AccountObjectId))
) on $left.OwnerObjectId == $right.AccountObjectId
| distinct AgentId, AgentName = Name, OwnerObjectId, Platform, LifecycleStatusAbout this query
Orphaned Security Agent Detection
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|
Description
Detects security agents that are in a 'Published' status but lack an associated valid identity or owner in the IdentityInfo dataset. This identifies unmanaged or orphaned agents that may have been decommissioned, misconfigured, or potentially represent unauthorized infrastructure.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to identify "orphaned" security agents within a system. These are agents that are marked as "Published" but do not have a valid owner or identity associated with them in the IdentityInfo dataset. This situation can occur if the agents have been decommissioned, misconfigured, or are potentially unauthorized.
Here's a breakdown of what the query does:
-
Data Source: It starts by pulling data from the
AgentsInfotable, which contains information about security agents. -
Latest Record Selection: It selects the most recent record for each agent using the
arg_maxfunction, which helps in getting the latest status of each agent byAgentId. -
Filter Conditions:
- It filters agents that have a
PublishedStatusof "Published". - It excludes agents that are on the "LocalAgents" platform.
- It filters agents that have a
-
Owner Expansion: It expands the list of owners for each agent and converts the owner ID to lowercase for consistency.
-
Join Operation:
- It performs a left anti join with the
IdentityInfotable to find agents whose owner IDs do not match any account IDs in theIdentityInfodataset. This step identifies agents without a valid owner.
- It performs a left anti join with the
-
Result Selection: Finally, it selects distinct records of orphaned agents, including their
AgentId,AgentName,OwnerObjectId,Platform, andLifecycleStatus.
In simple terms, this query helps in detecting security agents that are active but not properly managed or owned, which could be a security risk.
Details

Benjamin Zulliger
Released: July 6, 2026
Tables
Keywords
Operators