Overview
Devices running Blumira Agent send logs of remote activity on the Windows platform to Blumira for detection and response. With Blumira Agent, Blumira receives event logs directly through the cloud from the remote endpoint. Additionally, Blumira Agent allows you to temporarily isolate a suspicious or vulnerable host while you determine the next steps in a detection event.
Reference: To learn how to configure Blumira Agent, see Installing Blumira Agent on remote devices.
Viewing your agent devices’ details
You can view a complete list of all of your remote endpoints that are running Blumira Agent in Devices (Blumira Agent > Devices).
You can then click the row of an agent device to see the Device details window, where you can:
- Go to a report of the device’s logs.
- Go to a list of the device’s unresolved findings.
- Isolate the device from your network.
- Delete the agent service and stop running Blumira Agent on the endpoint.
To view your devices:
-
Navigate to Blumira Agent > Devices.
- (Optional) Click the quick filters or use the search box at the top of the page to narrow the results.
- Click the row of a device to open the Device details window.
Isolating an agent device
When you need to temporarily disconnect an agent device from your network – particularly during a security incident – you can use Blumira Agent to isolate the device until you confirm that it is safe to reconnect to the network.
When you isolate an agent device, logs continue to flow to Blumira from the isolated device during the duration of isolation, but the device cannot access your network.
To manually isolate an agent device:
- Navigate to Blumira Agent > Devices.
- In the devices table, click the row of the device you want to isolate.
- In the options menu, click Switch isolation status.
Note: To learn about automated isolation in the XDR Platform Edition, see Automatically isolating a device with Blumira Agent.
Removing agent devices from Blumira
Required: You must be a Blumira Administrator or Manager to edit or remove agent devices.
When you no longer need to receive logs from a device that is running Blumira Agent, you can remove the agent from Blumira to stop logging and detections for the device. When you do this, existing logs that the agent previously sent to Blumira remain available for the standard data retention timeframe. How you remove Blumira Agent depends on whether you want to remove it from an individual device or an entire group of devices.
Warning: Do not uninstall the agent from the device directly. Only use the Blumira app to remove the agent when you no longer need it.
To remove Blumira Agent from an individual device:
- On the Devices page, click the additional actions icon in the row of the device that you want to remove.
- In the actions menu, click Delete agent.
-
In the confirmation window, click Remove this device.
To remove Blumira Agent from a group of devices:
- On the Installation page, under Installation keys, click the row of the group that you want to remove.
- In the Installation key details window, click Remove installation key.
-
In the confirmation window, click Remove installation key to stop Blumira Agent on all devices that use the key.