Overview
Devices running Blumira Agent send logs of remote activity on Windows, Mac, and Linux endpoints to Blumira for detection and response. With Blumira Agent, Blumira receives event logs directly through the cloud from the remote endpoint. Additionally, Blumira Agent allows you to temporarily isolate a suspicious or vulnerable host while you determine the next steps in a detection event.
Reference: To learn how to configure Blumira Agent, see Installing Blumira Agent on remote devices.
After installing Blumira Agent on your devices, the agent will continue to run and collect logs from each device until you manually remove the agent via the app. Devices that go offline also continue to run the agent and backlog data as long as the device is not shut down.
Reference: See How agent and host status impact remote logging with Blumira Agent for more details.
Viewing your agent devices’ details
To view your agent devices:
- Navigate to Blumira Agent > Devices.
- (Optional) Click the quick filters or use the search box at the top of the page to narrow the results.
- Click the row of a device to open the Device details window.
After opening the Device details window, you can do the following:
- Go to a report of the device’s logs.
- Go to a list of the device’s unresolved findings.
- Isolate the device from your network and see a history of all isolation events for the device in the Activity log tab.
- Delete the agent service and stop running Blumira Agent on the endpoint.
Isolating an agent device
When you need to temporarily disconnect an agent device from your network – particularly during a security incident – you can use Blumira Agent to isolate the device until you confirm that it is safe to reconnect to the network.
When you isolate an agent device, logs continue to flow to Blumira from the isolated device during the duration of isolation, but the device cannot access your network.
To manually isolate an agent device:
- Navigate to Blumira Agent > Devices.
- In the devices table, click the row of the device you want to isolate.
- In the options menu, click Device details.
- In the Device details window, select Isolated (Block outgoing network traffic except to Blumira).
- Click Save changes.
Note: To learn about automating isolation with XDR Platform Edition, see Automatically isolating a device with Blumira Agent.
Removing agent devices from Blumira
Required: You must be a Blumira Administrator or Manager to edit or remove agent devices.
When you no longer need to receive logs from a device that is running Blumira Agent, you can remove the agent from Blumira to stop logging and detections for the device. When you do this, existing logs that the agent previously sent to Blumira remain available for the standard data retention timeframe. How you remove Blumira Agent depends on whether you want to remove it from an individual device or an entire group of devices.
Important: Do not uninstall the agent from the device directly. Only use the Blumira app to remove the agent when you no longer need it.
To remove Blumira Agent from a device:
- On the Devices page, click the additional actions icon in the row of the device that you want to remove.
- In the actions menu, click Delete agent.
- In the confirmation window, click Remove this device.