Overview
Devices running Blumira Agent send logs of remote activity on Windows, Mac, and Linux endpoints to Blumira for detection and response. With Blumira Agent, Blumira receives event logs directly through the cloud from the remote endpoint. Additionally, in supported licenses, Blumira Agent allows you to temporarily isolate a suspicious or vulnerable host while you determine the next steps as you investigate suspicious activity.
Reference: To learn how to configure Blumira Agent, see Installing Blumira Agent on remote devices.
After installing Blumira Agent on your devices, the agent will continue to collect logs from each device until you remove it. Devices that are offline also continue to run the agent and backlog data as long as they are not shut down.
Reference: See How agent and host status impact remote logging with Blumira Agent for more details.
Below, you can learn the following methods for managing your agent devices:
- Viewing agent device details and status
- Managing agent deployment limits
- Monitoring your maximum deployable agent limit and enabling notifications
- Removing agent devices you no longer use
Viewing agent device details and status
To view information about a device that is running the Blumira Agent, do the following:
- In the app, navigate to Blumira Agent > Devices.
- (Optional) Use the quick filters or search at the top of the page to narrow the table results to a specific device.
- In the devices table, review the list of devices and the information shown, including the following:
- Device hostname
- Agent status: Online or Offline
- Platform type: Windows, Linux, or macOS
- Host isolation status: Isolated or Not isolated
- Excluded from Auto isolation: Automated host isolation is exclusively available in XDR.
- Last modified: This is the time of the last online/offline status change or isolation change.
- Device key name
- Click a device row to open the "Device details" window, which includes additional information such as IP address, Mac address, and date first seen.
From the "Device details" window, you can do the following:
- View the device’s logs in Report Builder. The report defaults to the last 7 days of logs.
- Go to a list of unresolved findings triggered by activity collected from the device.
- Isolate the device and see a history of all isolation events for the device in the "Activity log" tab.
- Check the last time the device was online, isolated, or un-isolated.
- Delete the agent service and stop running Blumira Agent on the endpoint.
- View a list of devices that the agent failed to install on if you used a script to mass install.
Managing and monitoring agent limits
If you decide to install Blumira Agent on many devices at once using an automation tool, it is important to avoid installing the agent on more devices than the account is licensed to use. Blumira connects only to the number of agents licensed for the account at the time of deployment.
Caution: Using an installation key that is already at its limit will install the agent on your device, but the agent will not connect to Blumira or appear in the app. Installing Blumira Agent on a device that never connects to the app requires additional steps to remove it from the device. See Uninstalling the Blumira Agent service from a device that failed connection.
There are two different values that limit the number of devices on which you can deploy Blumira Agent:
-
Maximum Deployable Agents: This is the total number of agent devices that Blumira can connect to, and it directly relates to the licensing terms for your account.
-
Installation Key Device Limit: This is the total number of agent devices that can be deployed using a specific installation key.
- This value can be managed in the Installation key details window.
- If only one installation key exists in the account, the key limit should be kept equal to the Maximum Deployable Agents value.
- This value can be managed in the Installation key details window.
Verifying usage versus the limit
Administrators can verify in the app how agent deployment for an account compares to its agent limit.
In Blumira Agent > Installation, two informational cards at the top of the screen display the maximum number of allowed devices next to the number currently deployed. View which devices have successfully connected to Blumira in the Blumira Agent > Devices screen.
Managing an installation key limit
When creating a new key from the Installation page, you are prompted to type a limit for that key. You can edit the value on the installation key detail screen.
When an installation key's device limit is reached:
- The installation script and installation key fields are disabled and can no longer be copied.
-
If a key is at its limit and the key has become disabled, tooltips appear to describe why that key is currently not available to view or use.
Monitoring for failed installations and enabling notifications
When an agent fails to check in to Blumira, you may not know it has failed if you have not enabled our system notification. See how to enable the "Maximum Deployable Agent exceeded" alert in About user notifications.
If you have received a notification that your account exceeded the deployable limit, you can either increase your license agent count, fix the limit of the installation key used by the script, or remove agents you do not need.
Agents will automatically connect to Blumira when the deployable limit is greater than the number of devices installed. On the Devices page, you can see a full list and count of the endpoints that have the agent installed but cannot connect because they are over the limit.
Removing agent devices you no longer use
Required: You must be a Blumira Administrator or Manager to edit or remove agent devices.
When you no longer need to receive logs from a device that is running Blumira Agent, you can remove the agent from Blumira to stop logging and detections for the device. When you do this, existing logs that the agent previously sent to Blumira remain available for the standard data retention timeframe. How you remove Blumira Agent depends on whether you want to remove it from an individual device or an entire group of devices.
To remove Blumira Agent from a device:
- On the Devices page, click the row of the device that you want to remove.
- In the actions menu, click Delete agent.
- In the confirmation window, click Remove this device.
If a device is offline and will not be coming back online, such as when it has been lost or deprovisioned, follow the steps in Uninstalling Blumira Agent from a device that is not connected.