Overview
With Blumira Agent and your customized install script, Blumira can receive event logs directly through the cloud within minutes, and without the need for a server or additional configurations. Devices running Blumira Agent (also called “agent devices”) send logs of remote activity on a Windows, Mac, or Linux operating system to Blumira for detection and response. Additionally, Blumira Agent allows you to temporarily isolate a suspicious or vulnerable host while you determine the next steps in a detection event.
Supported platforms
Blumira Agent can run on the following platforms:
- Windows XP 32-bit or higher
- x86_64 Linux distributions that use the apt or yum package manager
- all versions of MacOS 10.7 and up
Before you begin
If your organization is actively blocking outbound traffic or using SSL interception, you must add the following URLs to your firewall's allowlist so that the agent can connect successfully to Blumira:
- URLs used to download the agent:
https://dl.blumira.com/agent/files/blu_agent.exe
https://dl.blumira.com/blumira_linux_agent.sh
https://dl.blumira.com/blumira_macos_agent.sh
- URL for shipping agent logs:
9157798c50af372c.lc.limacharlie.io:443
- Additional SSL Certificate Exclusion when using SSL decryption/interception:
rp_c2_dev
If you have not added the above to your allowlist and the installation of the agent fails, you can run this command to see if something is blocking or intercepting the SSL Certificate for the agent:
test-netconnection -computername "9157798c50af372c.lc.limacharlie.io" -port "443"
If the output confirms that traffic is being blocked, ensure that you add the above URLs to your firewall allowlist.
Installing the agent
Required: You must be a Blumira Administrator or Manager to generate installation keys and scripts for Blumira Agent.
Blumira’s agent installation scripts provide you with a simple process for installing and running Blumira Agent on your remote devices. Obtain a custom script in-app, then run the agent install script in an elevated command prompt.
You can create separate scripts with different installation keys, which is helpful if you manage multiple devices as a group. How many keys you create depends on whether you want to manage the devices as one group for your entire organization or segment your agent deployment using multiple keys.
Notes:
- If NXLog or Sysmon are found on the device, the Poshim script removes those from the device because they are not required for Blumira Agent and Windows endpoint logging. However, NXLog and Sysmon are included in the Poshim script when integrating with Windows machines without Blumira Agent.
- If your devices are using Threatlocker, ensure that you properly allow application installation before running the script, otherwise, Threatlocker will stop it from completing successfully. See Threatlocker's instructions in Using Learning Mode to Track Installed Files from an RMM or Software Deployment Tool.
To create and gather a new installation script:
- Navigate to Blumira Agent > Installation.
- Under Generate agent installation script, click Select installation key.
- If you already have an installation key in the app, select the installation key from the options; otherwise, click Create new installation key then type a description and the number of devices on which you will install Blumira Agent using the new key.
- Under Select platform, select the OS platform you plan to install the agent on.
- Click Copy to copy the custom installation script that appears in the box.
To run the script directly on the device, complete the following steps according to the platform selected:
Platform | Steps |
Windows |
On a Windows device, paste the agent installation script into an elevated PowerShell prompt and press Enter. The script will perform all installation steps automatically. Note: You must be a Windows administrator to run the installation script in PowerShell. |
Linux |
On a Linux device, paste the agent installation script into your Linux terminal and press Enter. The script will perform all installation steps automatically. |
Mac |
On a Mac device, complete the following as sudo or with root privileges:
Note: You can deploy the agent to your Mac devices using an MDM solution by referencing LimaCharlie’s example configurations and preferences for silent installation in macOS Sensor Installation - MDM Configuration Profiles. |
Verifying that Blumira Agent is connected
To verify that Blumira Agent is installed and connected to Blumira, do the following:
- In the Blumira app, navigate to Blumira Agent > Devices.
- In the Devices table, find the row for the newly added agent device.
- In the Agent status column, verify that the device is “Online”.
If you do not see the device connected to Blumira, you can verify if the agent is running on the device by doing one of the following:
Platform | Steps |
Windows | Open Task Manager and search for the file or service using any of the following methods:
|
Mac | Find and run the app RPHCP from the Applications folder. A message will appear to confirm if the required permissions have been granted. |
Linux | In the Linux terminal, run this command:sudo systemctl status blumira_agent
|
Using Logmira for additional logging
In addition to the logs that are enabled by default in Windows, Blumira recommends deploying Logmira, our group policy object (GPO) template for advanced logging. This GPO enables about 100 additional types of Windows logs, enhancing our detection and logging capabilities.
Reference: Advanced Microsoft Windows logging with Logmira GPO template