Skip to main content

Documentation Index

Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt

Use this file to discover all available pages before exploring further.

Applies to BloodHound Enterprise only

Purpose

This article explains how to configure a data collector client to run on a schedule. Administrators should use it when deploying a new client or adding an additional schedule to an existing client.
Azure and Active Directory objects typically change slowly, so daily collection is usually sufficient. To capture activity across different times of day, schedule Local Groups and Sessions more frequently (for example, every 7 hours).

Prerequisites

The following prerequisites are required to create a data collection schedule:
  • An existing SharpHound Enterprise collector client
  • Logged in as a user assigned a role authorized to modify clients

Process

The process to create a data collection schedule consists of the following steps:
1

Open the Manage Clients page

In the left menu, click Administration > Manage Clients.
2

Edit a collector client

On the client that you want to schedule, click the icon in the Action column and select Edit Client.
Navigate to the Edit Client button on the Clients page
3

Create a data collection schedule

  1. Click under Collection Schedule to add a new schedule.
    Click the plus icon to add a new collection schedule
  2. Configure the following details in the Schedule window:
    • Start Date: The time at which the first collection should run
    • Frequency: The frequency at which the collection should run
    • Data: The type of data that the schedule collects, see:
    • Advanced Options:
      Configure the schedule details
      OptionDescription
      Data (Required)Multi-select option for the different types of collection available. See SharpHound Data Collection and Permissions for details on the data collected and permissions necessary for each.
      Domain controllerBy default, SharpHound automatically selects a Domain Controller for LDAP queries. Specifying a Domain Controller hostname or FQDN here will define the default value used for this scan or schedule.

      If not set, SharpHound will utilize the value set in the client configuration.

      We recommend not configuring a Domain Controller manually.
      Target Local Group and/or User Session Collection by Organizational UnitDefine one or more OUs within a domain to only collect Local Group and Session data from computers contained within the specified OUs and their descendants.

      If left empty, SharpHound will collect from all OUs.

      If defined, the schedule or On Demand Scan will not collect AD structure data. A dedicated schedule or On Demand Scan must therefore be created for AD structure collection.

      Note: Not supported with multi-domain collections.
      Scope Collection to Multiple DomainsUtilize trust relationships in your environment to collect data from multiple domains.

      If left empty, SharpHound will collect from the domain to which the Service Account belongs.

      SharpHound supports two options:

      * Define a specific list of domains from which to collect data.
      * Collect data from all domains within the forest that the SharpHound service account belongs.

      Note: Multi-domain collections cannot be scoped by OU.
  3. Click Save in the Schedule window.
  4. Click Save in the Edit SharpHound Client window.

Outcome

The client is now configured for continuous data collection with one schedule. You can add multiple schedules to a single client for more granular control. A summary of a client’s schedule displays in the Collection Schedule column on the Clients page.
View of the Collection Schedule column on the Clients page
After the next schedule, see the job’s status on the Finished Jobs Log page.