Skip to main content
Applies to BloodHound Enterprise only The BloodHound Enterprise integration for Cortex XSOAR lets you ingest and manage BloodHound Enterprise attack path findings in Cortex XSOAR as incidents. Use this integration to:
  • Automatically convert BloodHound Enterprise attack path findings into Cortex XSOAR incidents
  • Attach remediation guidance and posture context to incidents
  • Run playbooks and custom commands to analyze, triage, and remediate findings
Key capabilities include:
  • Automated incident creation with titles, descriptions, remediation guidance, impact/exposure metrics, severity, and domain/environment context
  • Playbook linking per incident to run custom analysis commands
  • Custom commands:
    • Object ID lookup by name
    • Asset information by object ID
    • Path analysis between two nodes in the BloodHound graph

Prerequisites

Before installing and configuring the Cortex XSOAR integration, ensure that you have the following:
  • Cortex XSOAR instance with an admin account
  • BloodHound Enterprise tenant
  • BloodHound Enterprise API key/ID pair
We recommend a non-personal API key/ID pair.

Configure Cortex XSOAR

Set up the SpecterOps BloodHound Enterprise integration instance in Cortex XSOAR.
1

Open integration instances

  1. Log in to your Cortex XSOAR instance.
  2. Go to Settings & Info > Settings > Integrations > Instances.
    Cortex XSOAR Integrations & Instances page with SpecterOps integration visible.
2

Add SpecterOpsBHE instance

  1. Search for the SpecterOps integration.
  2. Click Add Instance for the SpecterOpsBHE integration.
  3. Configure settings.
    FieldDescriptionRequired?
    NameInstance display name (default can be modified)Yes
    BloodHound Enterprise DomainYour tenant domain, e.g., https://example.bloodhoundenterprise.ioYes
    Token IDAPI token ID from BloodHound EnterpriseYes
    Token KeyAPI token key from BloodHound EnterpriseYes
    Proxy URLProxy URL to reach BloodHound EnterpriseNo
    Proxy URL UsernameUsername for proxy authenticationNo
    Proxy URL PasswordPassword for proxy authenticationNo
    Finding EnvironmentScope findings to one environmentNo
    Finding CategoryScope findings to one categoryNo
    By default, Finding Environment and Finding Category are set to All.
    Cortex XSOAR instance configuration showing fetch settings.
3

Enable fetching and schedule interval

  1. Check the Fetches incidents option (required).
  2. Set Incident Type to “SpecterOpsBHE Attack Path” (optional).
  3. Set the Incidents Fetch Interval to your preferred schedule (required).
    The default fetch interval is 10 minutes.
    Cortex XSOAR instance configuration detail view.
4

Test and save the configuration

  1. Click Test to verify connectivity and credentials.
  2. Close the modal, then Save the instance.
    ”Success” indicates working parameters and connectivity. “Error” indicates invalid parameters or connection failure.
    Cortex XSOAR instance save confirmation.
5

Manage multiple domains or disable instances

  • To add additional BloodHound Enterprise domains, create more instances with Add Instance.
  • To stop fetching, uncheck Enable to disable the instance.
    List of multiple SpecterOpsBHE instances in Cortex XSOAR.