See how quick and easy it is to send endpoint logs directly to the cloud without the need of any additional infrastructure using Blumira Agent.
Blumira’s Lead Incident Detection Engineer Amanda Berlin shows you how to use Blumira Agent, isolate hosts, test detections and more.
Welcome to the Blumira Agent demo. I’m your host for this fun and exciting video, Amanda Berlin, the lead incident detection engineer here at Blumira.
Here you’ll see how quick and easy it is to send endpoint logs directly to the cloud without the need of any additional infrastructure.
After we log into our Blumira environment, we can head on over to the Blumira Agent menu. And get started right away with our installation.
We’re going to create an installation key for our environment, but if you already have one created, you can select it here as well.
Here we’re naming our Installation Key “DemoTest”
And after it’s created, we’ll copy the custom installation script.
Normally many organizations may run this through a custom software distribution platform. But that’s no fun for a demo and we’re really only installing it on one device here.
Here you see we’re going to run the copied command on one of our lab servers in powershell as admin and watch it install the Blumira Agent.
Alright, Nice and quick.
Now let’s go over and verify that the device is available in the Blumira console.
Under devices, we see here the device that I’ve just installed it on and we can click on device details.
Here we see it’s online.
Now let’s run a malicious command and see how isolating works inside of Blumira.
We’re going to run the findstr password discovery command, that looks for passwords saved in active directory.
And right away we can see that there is an unresolved finding matching that endpoint of the findstr password discovery activity.
So we’re going to go ahead and isolate that endpoint by clicking the “Isolated” option and saving that change. Because ideally we’re going to be performing incident response on this host.
Here you can see me on that device, trying to move windows and type. Nothing is really happening. And you can see here that it has already kicked me off of the remote connection.
So say we already have that endpoint fixed and the malicious activity has been resolved. We’ll want to un-isolate that device so it can begin running as normal. We click on “Release this device”
And there you have it, we’re back online!
A simple and efficient way to protect your enterprise while in the office or working remotely.