Skip to main content
This section walks you through the process of creating a new agent using the Agent Builder. Each step in the builder helps define the agent’s identity, responsibilities, and operational capabilities. By the end of this process, your agent will be configured and ready to use within the Blink Ops platform.
To learn more about how the Agent Builder works, click here

Creating a New Agent

Disclaimer The images shown in this documentation are for visualization purposes only. The appearance and configuration of your agents may differ based on your workspace settings, custom roles, and individual agent configurations.
1

Open the Agent Builder

Navigate to the ‘Agents’ page in your workspace, then click the New Agent button located in the top-right corner of the page.
2

Basic Information

Start by providing a name and title for your agent. You can also include an optional description.
A clear and concise description helps other users quickly understand the agent’s purpose and how it is intended to be used. This description also appears in the builder editor as the action label, making it easier to identify the agent during workflow design.
3

Appearance

Customize your Agent’s appearance by choosing a style, color and upload your custom logo.
4

Roles and Responsibilities

Define the agent’s role within your environment, including its primary responsibilities and any operational constraints it should follow. This helps shape how the agent behaves and interacts with your systems.
Use this section to define any boundaries or constraints the agent should follow—what it should not do. This helps guide the agent’s behavior and ensures it operates within the expected limits of your environment. For more guidance, visit the best practices documentation.
5

Modes

Note: The Interactive Mode feature is currently in the early access stage.By default, each agent has the ‘Task Mode’ enabled. Optionally, users can enable ‘Interactive Mode’, which allows real-time conversations with the agent.
For more information about ‘Task Mode’ visit Step 3 of Using the Agent in Workflows.
You can interact with the agent through Interactive Mode in:
  1. Test – Interact with and test the draft version of the agent while building it, allowing you to validate responses in real time.
  1. Start – Interact with the agent’s published version through the chat interface.
For more information, visit the Interactive Mode section of the documentation.
6

Abilities

Search and select which workflows the agent is allowed to access and execute. These workflows control the specific tasks the agent can perform and automate on your behalf. By assigning pre-built, secure workflows, you ensure agents can carry out necessary actions without needing direct access to your systems or credentials.
  • Workflows can also include optional “human in the loop” approval steps, allowing sensitive actions to be reviewed before they are executed.
  • Interactive Agents support parallel ability execution, enabling multiple abilities to run concurrently. This reduces overall task completion time and can lower token consumption by minimizing the number of agent reasoning iterations.
  • The agent automatically determines which abilities can execute in parallel based on their defined dependencies, inputs, and outputs. Parallel execution behavior can also be explicitly controlled through agent instructions to enforce concurrent execution for specific abilities. Agent reasoning proceeds only after all required parallel ability executions have completed.
  • For Interactive Agents, ability execution may include a combination of automatically executed abilities and abilities requiring user approval. If a user submits a new message instead of approving a pending action, only the pending abilities are marked as stale. Previously completed abilities and their execution results remain preserved and available to the agent.
  • You can enable the “Show Packs” setting to clearly display which pack each ability workflow belongs to.
  • You can create a new ability workflow by clicking the “New Ability” button, providing a name for the ability workflow, and selecting the pack you want to add the ability workflow to.
  • You can also search for ability workflows to quickly locate a specific workflow, or filter workflows by the pack they belong to.
4.1

Access the Ability Workflow's Settings

When you select an ability workflow, click the to open its settings. Here, you will find key information about the selected ability workflow, including:
  • Name – The name of the ability workflow
  • Pack – The name of the pack it belongs to.
  • Description – A description of the ability workflow’s purpose.
  • Allow interactive agent execution without approval- When enabled, This ability will run without asking for confirmation. Applies only to agents that have ‘Interactive Mode’ enabled.
  • Summarize Long Responses – A toggle that, when enabled, simplifies lengthy or detailed results from this ability, allowing the agent to focus on the most important information. Enable this if the workflow often returns large amounts of data.
7

Knowledge

Upload documents for the agent to reference. These materials help the agent better understand your environment, respond more accurately, and make context-aware decisions. See all supported document formats by visiting this section.
All files are securely uploaded to Amazon database. If a file is removed from the knowledge base or the agent is deleted, all associated data is permanently deleted.
Users with view-only permissions will not be able to edit files in the knowledge configuration. To view more knowledge limitations, refer to the Limitations section of the documentation.
8

Publish your Agent

Once all required sections are completed, click the ‘Publish’ button in the top-right corner to deploy your agent. A confirmation popup will indicate that your agent was successfully published and is now active within your workspace.
When building your agent, your work is automatically saved, so you can stop at any time and keep an unpublished draft version to return to at any time.

Using the Agent in Workflows

Once your agent has been created, you can add it to automated workflows to perform specific tasks, respond to triggers, and interact with other systems. This section explains how to integrate your custom agent into a workflow using Blink’s visual workflow editor. Each step outlined below ensures that your agent is properly configured to operate within the defined workflow and fulfill its assigned responsibilities.
1

Navigate to Workflow Page

Navigate to the Workflows tab in your workspace, then either create a new workflow or open an existing workflow where you want to use the agent.
2

Add the Agent to the Workflow

Search for the agent you want to include in the workflow. Once located, add it as a step in your workflow.
Agent steps are treated like any other workflow step, and you can define their inputs and expected outputs accordingly.
3

Define the Agent's Task

Clearly define the agent’s primary task in this step. This sets the context for what the agent is expected to achieve during its execution.
Parallel ability execution can be controlled through instructions defined in the Agent task parameter. By explicitly specifying which abilities should run concurrently, agents can execute multiple abilities in parallel. Subsequent agent reasoning begins only after all required parallel executions have completed, helping reduce task completion time and potentially lowering token usage by minimizing agent iterations.
In the top-right corner of the agent step’s output, click Agent Configuration to open the Agent Builder’s configuration interface.
The more context and clarity you provide, the better the agent will perform its task in the automated workflow. For more guidance, visit the best practices documentation.
4

Output Example

You can provide a sample JSON output to illustrate the expected structure the response of the agent’s output. This helps with downstream step configuration and validation. If you prefer the response to be plain text, simply leave this section blank.
Only one JSON output example should be provided. The JSON output can support up to 10 levels of nesting, meaning it can include objects or arrays nested inside each other, but only up to three layers deep.
To prevent using real data during testing, you can use the mock output feature. This allows you to simulate step results without consuming your tenant’s data quota.

Phishing Email

{
  "operation_explanation": "",
  "blocked_senders": ["attacker@gmail.com", "attacker2@gmail.com"],
  "email_subject": "Urgent: Your Account Will Be Suspended!",
  "provider": "gmail",
  "malicious_urls": ["http://phishy-link.com/reset"],
  "actions_taken": [ "sender_blocked", "team_notified"]
}

Security Alert Summary

This JSON output example provides a structured, human-readable summary of a security alert. It captures what occurred (alert_summary), who was involved (user_summary), the behavior of the device (device_summary), and any suspicious indicators like external IPs, file hashes, and URLs. It concludes with recommended_actions—specific steps an analyst should take to investigate or remediate the incident. This format is typically used to enrich alerts and support triage decisions.
{
  "alert_summary": "The event involved [DESCRIPTION OF WHAT WAS OBSERVED].",
  "user_summary": "The alert is associated with a [USER ACCOUNT] flagged for [REASON].",
  "device_summary": "The [DEVICE] has been observed in performing [ACTIVITY]",
  "external_ips": "The [IP ADDRESS] has been detected as [DISPOSITION]",
  "hashes": "The [FILE HASH] was found to be [VERDICT].",
  "urls": "[The URL] is [VERDICT]",
  "recommended_actions": "You should do [LIST OF ACTIONS] to resolve this incident."
}

Alert Mapping to MITRE ATT&CK

This JSON output example maps alert details to the MITRE ATT&CK framework, offering standardized fields like alert_name, alert_title, source, and severity. Most importantly, it includes a mitre_mapping field that ties observed behavior to known adversary tactics and techniques. This format helps analysts quickly understand the nature of the threat and align it with industry-recognized classifications for faster, more informed response.
{
  "alert_name": "[ALERT NAME]",
  "alert_title": "[ALERT TITLE]",
  "source": "[SOURCE]",
  "severity": "[SEVERITY LEVEL]",
  "mitre_mapping": "[TACTIC]:\n- [TECHNIQUE NAME]\n- [TECHNIQUE NAME]\n\n[TACTIC]:\n- [TECHNIQUE NAME]\n- [TECHNIQUE NAME]"
}
5

Advanced-Additional Constraints

Define any additional constraints you want the agent to follow for this specific workflow context.
6

Advanced-Timeout in Minutes

Define the maximum duration (in minutes), the agent is allowed to run before timing out. If the time is exceeded, any running abilities and subflows will stop.
To understand how long an agent step is allowed to run and what other execution limits apply, check the full list of constraints in the Agent Builder Limitations documentation.
7

Advanced- Enable Settings

  • Use Agent Draft Version in Edit Mode: When enabled, the workflow will run the draft version of the agent while in edit mode and during test runs. This lets you test the workflow using the most recent, unpublished changes made to the agent, so you can validate updates before officially publishing them.
  • Continue Last Session: When enabled, the agent will continue its previous session within this workflow run. This allows the agent to use context from earlier tasks instead of starting a fresh session.
  • Extend Response Mode - When enabled, the agent can generate longer responses in a single run.
    Note: It may sometimes lead to more verbose responses.
8

Publish your Workflow

Once all steps are configured, click the ‘Publish’ button to activate your workflow. Your agent is now live and will execute as defined when the workflow runs.

Manage Portal Settings

In the Agents feature, select a specific agent, click the menu, and choose “Manage Portal Access”. Then, enter the email address of one or more users or groups within your tenant to share the selected agent in the Blink Portal.

Agents - How it Works

Explore a more in-depth explanation of how the Agents work.

Best Practices

Follow these best practices to design reliable, safe, and effective security agents using the Agents. Learn more about what to do—and what to avoid.

Limitations

Understand the execution limits, performance constraints, and supported capabilities when building agents. Learn more about what agents can and can’t do.

Builder Copilot

Builder Copilot uses generative AI to help you design custom workflows faster, directly within the Workflow Editor. Learn more about how to use it.