Overview
Devices running Blumira Agent send logs of remote activity on Windows, Mac, and Linux endpoints to Blumira for detection and response. With Blumira Agent, Blumira receives event logs directly through the cloud from the remote endpoint. Additionally, Blumira Agent allows you to temporarily isolate a suspicious or vulnerable host while you determine the next steps in a detection event.
Reference: To learn how to configure Blumira Agent, see Installing Blumira Agent on remote devices.
After installing Blumira Agent on your devices, the agent will continue to run and collect logs from each device until you manually remove the agent via the app. Devices that go offline also continue to run the agent and backlog data as long as the device is not shut down.
Reference: See How agent and host status impact remote logging with Blumira Agent for more details.
Viewing an agent device's details
To view information about a device, do the following:
- In the app, navigate to Blumira Agent > Devices.
- (Optional) Narrow the table results by clicking the quick filters or using the search box at the top of the page.
- Review the list of devices included in the table along with the following details:
- Hostname
- Online or offline status
- Platform type
- Isolation status
- Exclusion from automated host isolation (XDR only)
- Last modified date, which is the time of last online/offline status change or isolation change
- Key name to identify which installation key was used to install the agent on the device
- Click the row of a device to open the Device details window, which includes additional information such as the following:
- IP address
- Mac address
- Date first seen
From the Device details window, you can do the following:
- View the device’s logs in Report Builder. The report defaults to the last 7 days of logs collected from the device.
- Go to a list of unresolved findings that are associated with logs from the device.
- Isolate the device from your network and see a history of all isolation events for the device in the Activity log tab.
- Check the last time the device checked in (showed as online) or was isolated or de-isolated.
- Delete the agent service and stop running Blumira Agent on the endpoint.
Removing agent devices from Blumira
Required: You must be a Blumira Administrator or Manager to edit or remove agent devices.
When you no longer need to receive logs from a device that is running Blumira Agent, you can remove the agent from Blumira to stop logging and detections for the device. When you do this, existing logs that the agent previously sent to Blumira remain available for the standard data retention timeframe. How you remove Blumira Agent depends on whether you want to remove it from an individual device or an entire group of devices.
Important: If the device is online, do not uninstall the agent from the device directly. Instead, use the Blumira app to remove the agent when you no longer need it to ensure it is properly removed from both Blumira and the device.
To remove Blumira Agent from a device:
- On the Devices page, click the row of the device that you want to remove.
- In the actions menu, click Delete agent.
- In the confirmation window, click Remove this device.
If a device is offline and will not be coming back online, such as when it has been lost or deprovisioned, follow the steps in Uninstalling Blumira Agent from a device that is not connected.