# Tools & Agents The Tools & Agents view shows analytics on how tools and agents are being used across your organization. Use it to understand your MCP server footprint, identify overused or anomalous tools, and track agent deployment coverage. Navigate to **Highflame Studio** → **Observatory** → **Tools & Agents**. *** ## Tool usage analytics The tool usage panel shows aggregate statistics on tool invocations across all agent sessions: | Metric | Description | | --------------------- | --------------------------------------------------------------- | | **Total calls** | Number of tool calls in the selected time range | | **Unique tools** | Number of distinct tools called | | **Success rate** | Fraction of tool calls that completed without error | | **Block rate** | Fraction of tool calls blocked by a guardrail or gateway policy | | **P50 / P95 latency** | Tool call latency percentiles | ### Top tools A ranked list of tools by call volume, with per-tool breakdown of success rate, block rate, and average latency. Click any tool to filter the event table below to calls for that tool. ### Tool category distribution A breakdown of tool calls by category (file system, web search, code execution, database, external API, MCP). This helps identify whether your agents are concentrating usage in high-risk categories. *** ## MCP server visibility If you are using the Agent Gateway with MCP routing, the MCP panel shows: | Column | Description | | ----------------- | --------------------------------------------------------------- | | **MCP server** | The MCP server name and endpoint | | **Tools exposed** | Number of tools registered on this server | | **Calls (7d)** | Total calls routed to this server in the past 7 days | | **Agents using** | Number of distinct agents that have called tools on this server | | **Policy** | The credential and access policy applied to this server | | **Status** | Whether the server is active and reachable | Click any MCP server to see its full tool list and call history. *** ## Agent inventory The agent panel lists all agent identities that have been active in the selected time range: | Column | Description | | ------------------- | ------------------------------------------------------------------------------- | | **Agent ID** | The ZeroID agent identity | | **Display name** | Human-readable name from the ZeroID registration | | **Sessions (7d)** | Number of sessions in the past 7 days | | **Tool calls (7d)** | Total tool invocations | | **Unique tools** | Number of distinct tools the agent has called | | **Violations (7d)** | Threat events associated with this agent | | **Evasion rate** | Fraction of events that were blocked vs. total (higher = more aggressive agent) | | **Products** | Which Highflame products have observed this agent | | **Risk score** | UEBA-derived composite risk score | | **Last seen** | Most recent activity timestamp | The **evasion rate** and **product breadth** (number of distinct products the agent has been seen across) are the two strongest UEBA signals for identifying agents behaving anomalously. An agent with a high evasion rate is generating a disproportionate number of blocks relative to its peers. An agent appearing across many products in a short window may indicate credential reuse or identity spoofing. Agents with elevated risk scores or high violation counts are highlighted. Click any agent to filter the Threats and Sessions views to that agent. *** ## Anomaly detection Observatory continuously monitors tool and agent behavior for anomalies relative to each entity's baseline. The baseline is computed from a rolling 7-day window using z-score analysis — the same method used by the [detector drift heatmap](/observatory/command-center.md#detector-drift-heatmap) in Command Center. Anomaly types: * **New tool access** — an agent calls a tool it has not used before * **Unusual call volume** — a tool is called significantly more than its baseline rate (z-score flagged) * **New destination** — a tool makes an outbound call to a domain not seen before * **Off-hours activity** — an agent is active outside its normal operating hours * **Cross-agent reuse** — the same credential or session token is observed across multiple agent identities * **IDE shift** — an agent that normally runs in one IDE is suddenly active in a different one * **Sudden product breadth increase** — an agent accesses a new Highflame product it has not been seen in before Anomalies surface as annotations in the tool and agent tables and as events in the Threats view with the source `observatory:anomaly`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.highflame.ai/observatory/tools-and-agents.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.