To learn more about how the Agent Builder works, click here
Creating a New Agent
Disclaimer The images shown in this documentation are for visualization purposes only. The appearance and configuration of your agents may differ based on your workspace settings, custom roles, and individual agent configurations.
1
Open the Agent Builder
Navigate to the ‘Agents’ page in your workspace, then click the New Agent button located in the top-right corner of the page.
2
Basic Information
Start by providing a name and title for your agent. You can also include an optional description.
A clear and concise description helps other users quickly understand the agent’s purpose and how it is intended to be used. This description also appears in the builder editor as the action label, making it easier to identify the agent during workflow design.
3
Roles and Responsibilities
Define the agent’s role within your environment, including its primary responsibilities and any operational constraints it should follow. This helps shape how the agent behaves and interacts with your systems.
Use this section to define any boundaries or constraints the agent should follow—what it should not do. This helps guide the agent’s behavior and ensures it operates within the expected limits of your environment. For more guidance, visit the best practices documentation.
4
Abilities
Define which workflows the agent is allowed to access and execute. These workflows control the specific tasks the agent can perform and automate on your behalf.
By assigning pre-built, secure workflows, you ensure agents can carry out necessary actions without needing direct access to your systems or credentials.
Workflows can also include optional “human in the loop” approval steps, allowing sensitive actions to be reviewed before they are executed.
By assigning pre-built, secure workflows, you ensure agents can carry out necessary actions without needing direct access to your systems or credentials.
Workflows can also include optional “human in the loop” approval steps, allowing sensitive actions to be reviewed before they are executed.
5
Knowledge
Upload documents for the agent to reference. These materials help the agent better understand your environment, respond more accurately, and make context-aware decisions. See all supported document formats by visiting this section.
All files are securely uploaded to Amazon database. If a file is removed from the knowledge base or the agent is deleted, all associated data is permanently deleted.
Users with
view-only permissions will not be able to edit files in the knowledge configuration. To view more knowledge limitations, refer to the Limitations section of the documentation.6
Publish your Agent
Once all required sections are completed, click the ‘Publish’ button in the top-right corner to deploy your agent. A confirmation popup will indicate that your agent was successfully published and is now active within your workspace.
When building your agent, your work is automatically saved, so you can stop at any time and keep an unpublished draft version to return to at any time.
Please note the the ‘Peer Agent’ capabilities are coming soon.
Using the Agent in Workflows
Once your agent has been created, you can add it to automated workflows to perform specific tasks, respond to triggers, and interact with other systems. This section explains how to integrate your custom agent into a workflow using Blink’s visual workflow editor. Each step outlined below ensures that your agent is properly configured to operate within the defined workflow and fulfill its assigned responsibilities.1
Navigate to Workflow Page
Navigate to the Workflows tab in your workspace, then either create a new workflow or open an existing workflow where you want to use the agent.
2
Add the Agent to the Workflow
Search for the agent you want to include in the workflow. Once located, add it as a step in your workflow.
Agent steps are treated like any other workflow step, and you can define their inputs and expected outputs accordingly.
3
Define the Agent's Task
Clearly define the agent’s primary task in this step. This sets the context for what the agent is expected to achieve during its execution.
In the top-right corner of the agent step’s output, click Agent Configuration to open the Agent Builder’s configuration interface.
The more context and clarity you provide, the better the agent will perform its task in the automated workflow. For more guidance, visit the best practices documentation
4
Output Example
You can provide a sample
JSON output to illustrate the expected structure the response of the agent’s output. This helps with downstream step configuration and validation. If you prefer the response to be plain text, simply leave this section blank.
Only one
JSON output example should be provided. The JSON output can support up to three levels of nesting, meaning it can include objects or array nested inside each other, but only up to three layers deep.JSON Output Format- Phishing Email Example
JSON Output Format- Phishing Email Example
Phishing Email
JSON Output Format- Security Alert Summary Example
JSON Output Format- Security Alert Summary Example
Security Alert Summary
ThisJSON output example provides a structured, human-readable summary of a security alert. It captures what occurred (alert_summary), who was involved (user_summary), the behavior of the device (device_summary), and any suspicious indicators like external IPs, file hashes, and URLs. It concludes with recommended_actions—specific steps an analyst should take to investigate or remediate the incident. This format is typically used to enrich alerts and support triage decisions.JSON Output Format- Alert Mapping to MITRE ATT&CK Example
JSON Output Format- Alert Mapping to MITRE ATT&CK Example
Alert Mapping to MITRE ATT&CK
ThisJSON output example maps alert details to the MITRE ATT&CK framework, offering standardized fields like alert_name, alert_title, source, and severity. Most importantly, it includes a mitre_mapping field that ties observed behavior to known adversary tactics and techniques. This format helps analysts quickly understand the nature of the threat and align it with industry-recognized classifications for faster, more informed response.5
Advanced-Timeout in Minutes
Define the maximum duration(in minutes), the agent is allowed to run before timing out. If the time is exceeded, any running abilities and subflows will stop.
To understand how long an agent step is allowed to run and what other execution limits apply, check the full list of constraints in the Agent Builder Limitations documentation.
6
Enable 'Use Draft Version in Edit Mode'
When enabled, the workflow will run the draft version of the agent while in edit mode and during test runs. This lets you test the workflow using the most recent, unpublished changes made to the agent, so you can validate updates before officially publishing them.
7
Publish your Workflow
Once all steps are configured, click the ‘Publish’ button to activate your workflow. Your agent is now live and will execute as defined when the workflow runs.
Related Articles
Agents- How it Works
Explore a more in depth explanation of how the Agents works.
Best Practices
Follow these best practices to design reliable, safe, and effective security agents using the Agents. Learn more about what to do—and what to avoid.
Limitations
Understand the execution limits, performance constraints, and supported capabilities when building agents. Learn more about what agents can and can’t do.
Builder Copilot
Builder Copilot uses generative AI to help you design custom workflows faster, directly within the Workflow Editor. Learn more about how to use it.