Tools & Agents
The Tools & Agents view shows analytics on how tools and agents are being used across your organization. Use it to understand your MCP server footprint, identify overused or anomalous tools, and track agent deployment coverage.
Navigate to Highflame Studio → Observatory → Tools & Agents.
Tool usage analytics
The tool usage panel shows aggregate statistics on tool invocations across all agent sessions:
Total calls
Number of tool calls in the selected time range
Unique tools
Number of distinct tools called
Success rate
Fraction of tool calls that completed without error
Block rate
Fraction of tool calls blocked by a guardrail or gateway policy
P50 / P95 latency
Tool call latency percentiles
Top tools
A ranked list of tools by call volume, with per-tool breakdown of success rate, block rate, and average latency. Click any tool to filter the event table below to calls for that tool.
Tool category distribution
A breakdown of tool calls by category (file system, web search, code execution, database, external API, MCP). This helps identify whether your agents are concentrating usage in high-risk categories.
MCP server visibility
If you are using the Agent Gateway with MCP routing, the MCP panel shows:
MCP server
The MCP server name and endpoint
Tools exposed
Number of tools registered on this server
Calls (7d)
Total calls routed to this server in the past 7 days
Agents using
Number of distinct agents that have called tools on this server
Policy
The credential and access policy applied to this server
Status
Whether the server is active and reachable
Click any MCP server to see its full tool list and call history.
Agent inventory
The agent panel lists all agent identities that have been active in the selected time range:
Agent ID
The ZeroID agent identity
Display name
Human-readable name from the ZeroID registration
Sessions (7d)
Number of sessions in the past 7 days
Tool calls (7d)
Total tool invocations
Unique tools
Number of distinct tools the agent has called
Violations (7d)
Threat events associated with this agent
Evasion rate
Fraction of events that were blocked vs. total (higher = more aggressive agent)
Products
Which Highflame products have observed this agent
Risk score
UEBA-derived composite risk score
Last seen
Most recent activity timestamp
The evasion rate and product breadth (number of distinct products the agent has been seen across) are the two strongest UEBA signals for identifying agents behaving anomalously. An agent with a high evasion rate is generating a disproportionate number of blocks relative to its peers. An agent appearing across many products in a short window may indicate credential reuse or identity spoofing.
Agents with elevated risk scores or high violation counts are highlighted. Click any agent to filter the Threats and Sessions views to that agent.
Anomaly detection
Observatory continuously monitors tool and agent behavior for anomalies relative to each entity's baseline. The baseline is computed from a rolling 7-day window using z-score analysis — the same method used by the detector drift heatmap in Command Center.
Anomaly types:
New tool access — an agent calls a tool it has not used before
Unusual call volume — a tool is called significantly more than its baseline rate (z-score flagged)
New destination — a tool makes an outbound call to a domain not seen before
Off-hours activity — an agent is active outside its normal operating hours
Cross-agent reuse — the same credential or session token is observed across multiple agent identities
IDE shift — an agent that normally runs in one IDE is suddenly active in a different one
Sudden product breadth increase — an agent accesses a new Highflame product it has not been seen in before
Anomalies surface as annotations in the tool and agent tables and as events in the Threats view with the source observatory:anomaly.
Last updated