To complete this quickstart, you must have a BloodHound Enterprise instance. To connect with the SpecterOps team and receive an instance, request a demo of BloodHound Enterprise.
Ingest with SharpHound Enterprise (Active Directory)
SharpHound Enterprise collects multiple data types from Active Directory and its domain-joined systems. We recommend collecting all types for full risk identification and accurate risk assessment calculation.
Install the SharpHound Enterprise collector service on a domain-joined Windows system and run it as an Active Directory account.
To fully secure a domain, collect data from all other domains with a trust relationship to it (in- and outgoing trust). Configure SharpHound Enterprise for Cross-Trust Collection.
Go to settings (⚙️) → Administration and select Data Quality.
Verify that the collectors have collected the expected amount of data and the number of principal types in each directory.
If using privileged collection, verify that the charts Local Group Completeness Over Time and Session Completeness Over Time report higher than 0%.Obtaining 100% completeness is not possible in most environments due to things like workstations being offline during collection.
If you see lower-than-expected data quality examine the data collection logs and contact your SpecterOps representative if you need assistance.
Your BloodHound Enterprise instance has a few administrative users by default. To bring your team into your instance, grant your team access with dedicated users and roles.To grant users access to your instance, create users and set access control roles.BloodHound Enterprise supports two authentication methods for users:
Built-in authentication via username and password, supporting TOTP-based multi-factor authentication
Your default users are configured with built-in authentication. For your team, you can also configure SAML authentication.
Enable multi-factor authentication for all users, no matter the authentication method and user role. If using SAML authentication, your connected identity provider will handle multi-factor authentication.