Skip to main content
This section walks you through the process of creating a new agent using the Agent Builder. Each step in the builder helps define the agent’s identity, responsibilities, and operational capabilities. By the end of this process, your agent will be configured and ready to use within the Blink Ops platform.
To learn more about how the Agent Builder works, click here

Creating a New Agent

Disclaimer The images shown in this documentation are for visualization purposes only. The appearance and configuration of your agents may differ based on your workspace settings, custom roles, and individual agent configurations.
1

Open the Agent Builder

Navigate to the ‘Agents’ page in your workspace, then click the New Agent button located in the top-right corner of the page.
2

Basic Information

Start by providing a name and title for your agent. You can also include an optional description.
A clear and concise description helps other users quickly understand the agent’s purpose and how it is intended to be used. This description also appears in the builder editor as the action label, making it easier to identify the agent during workflow design.
3

Roles and Responsibilities

Define the agent’s role within your environment, including its primary responsibilities and any operational constraints it should follow. This helps shape how the agent behaves and interacts with your systems.
Use this section to define any boundaries or constraints the agent should follow—what it should not do. This helps guide the agent’s behavior and ensures it operates within the expected limits of your environment. For more guidance, visit the best practices documentation.
4

Abilities

Define which workflows the agent is allowed to access and execute. These workflows control the specific tasks the agent can perform and automate on your behalf.
By assigning pre-built, secure workflows, you ensure agents can carry out necessary actions without needing direct access to your systems or credentials.
Workflows can also include optional “human in the loop” approval steps, allowing sensitive actions to be reviewed before they are executed.
5

Knowledge

Upload documents for the agent to reference. These materials help the agent better understand your environment, respond more accurately, and make context-aware decisions. See all supported document formats by visiting this section.
All files are securely uploaded to Amazon database. If a file is removed from the knowledge base or the agent is deleted, all associated data is permanently deleted.
Users with view-only permissions will not be able to edit files in the knowledge configuration. To view more knowledge limitations, refer to the Limitations section of the documentation.
6

Publish your Agent

Once all required sections are completed, click the ‘Publish’ button in the top-right corner to deploy your agent. A confirmation popup will indicate that your agent was successfully published and is now active within your workspace.
When building your agent, your work is automatically saved, so you can stop at any time and keep an unpublished draft version to return to at any time.
Please note that the ‘Peer Agent’ capabilities are coming soon.

Using the Agent in Workflows

Once your agent has been created, you can add it to automated workflows to perform specific tasks, respond to triggers, and interact with other systems. This section explains how to integrate your custom agent into a workflow using Blink’s visual workflow editor. Each step outlined below ensures that your agent is properly configured to operate within the defined workflow and fulfill its assigned responsibilities.
1

Navigate to Workflow Page

Navigate to the Workflows tab in your workspace, then either create a new workflow or open an existing workflow where you want to use the agent.
2

Add the Agent to the Workflow

Search for the agent you want to include in the workflow. Once located, add it as a step in your workflow.
Agent steps are treated like any other workflow step, and you can define their inputs and expected outputs accordingly.
3

Define the Agent's Task

Clearly define the agent’s primary task in this step. This sets the context for what the agent is expected to achieve during its execution.
In the top-right corner of the agent step’s output, click Agent Configuration to open the Agent Builder’s configuration interface.
The more context and clarity you provide, the better the agent will perform its task in the automated workflow. For more guidance, visit the best practices documentation
4

Output Example

You can provide a sample JSON output to illustrate the expected structure the response of the agent’s output. This helps with downstream step configuration and validation. If you prefer the response to be plain text, simply leave this section blank.
Only one JSON output example should be provided. The JSON output can support up to three levels of nesting, meaning it can include objects or array nested inside each other, but only up to three layers deep.
To prevent using real data during testing, you can use the mock output feature. This allows you to simulate step results without consuming your tenant’s data quota.

Phishing Email

{
  "operation_explanation": "",
  "blocked_senders": ["attacker@gmail.com", "attacker2@gmail.com"],
  "email_subject": "Urgent: Your Account Will Be Suspended!",
  "provider": "gmail",
  "malicious_urls": ["http://phishy-link.com/reset"],
  "actions_taken": [ "sender_blocked", "team_notified"]
}

Security Alert Summary

This JSON output example provides a structured, human-readable summary of a security alert. It captures what occurred (alert_summary), who was involved (user_summary), the behavior of the device (device_summary), and any suspicious indicators like external IPs, file hashes, and URLs. It concludes with recommended_actions—specific steps an analyst should take to investigate or remediate the incident. This format is typically used to enrich alerts and support triage decisions.
{
  "alert_summary": "The event involved [DESCRIPTION OF WHAT WAS OBSERVED].",
  "user_summary": "The alert is associated with a [USER ACCOUNT] flagged for [REASON].",
  "device_summary": "The [DEVICE] has been observed in performing [ACTIVITY]",
  "external_ips": "The [IP ADDRESS] has been detected as [DISPOSITION]",
  "hashes": "The [FILE HASH] was found to be [VERDICT].",
  "urls": "[The URL] is [VERDICT]",
  "recommended_actions": "You should do [LIST OF ACTIONS] to resolve this incident."
}

Alert Mapping to MITRE ATT&CK

This JSON output example maps alert details to the MITRE ATT&CK framework, offering standardized fields like alert_name, alert_title, source, and severity. Most importantly, it includes a mitre_mapping field that ties observed behavior to known adversary tactics and techniques. This format helps analysts quickly understand the nature of the threat and align it with industry-recognized classifications for faster, more informed response.
{
  "alert_name": "[ALERT NAME]",
  "alert_title": "[ALERT TITLE]",
  "source": "[SOURCE]",
  "severity": "[SEVERITY LEVEL]",
  "mitre_mapping": "[TACTIC]:\n- [TECHNIQUE NAME]\n- [TECHNIQUE NAME]\n\n[TACTIC]:\n- [TECHNIQUE NAME]\n- [TECHNIQUE NAME]"
}
5

Advanced-Timeout in Minutes

Define the maximum duration(in minutes), the agent is allowed to run before timing out. If the time is exceeded, any running abilities and subflows will stop.
To understand how long an agent step is allowed to run and what other execution limits apply, check the full list of constraints in the Agent Builder Limitations documentation.
6

Enable 'Use Draft Version in Edit Mode'

When enabled, the workflow will run the draft version of the agent while in edit mode and during test runs. This lets you test the workflow using the most recent, unpublished changes made to the agent, so you can validate updates before officially publishing them.
7

Publish your Workflow

Once all steps are configured, click the ‘Publish’ button to activate your workflow. Your agent is now live and will execute as defined when the workflow runs.

Agents- How it Works

Explore a more in depth explanation of how the Agents works.

Best Practices

Follow these best practices to design reliable, safe, and effective security agents using the Agents. Learn more about what to do—and what to avoid.

Limitations

Understand the execution limits, performance constraints, and supported capabilities when building agents. Learn more about what agents can and can’t do.

Builder Copilot

Builder Copilot uses generative AI to help you design custom workflows faster, directly within the Workflow Editor. Learn more about how to use it.