Skip to main content

Documentation Index

Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt

Use this file to discover all available pages before exploring further.

Applies to BloodHound Enterprise only After you configure the integration, Cortex XSOAR begins fetching BloodHound Enterprise attack path findings as incidents. Use the sections below to monitor ingestion, view incidents, and inspect details.
See install and configure for setup steps and fetch interval settings.

Monitor ingestion and logs

You can view instance logs to confirm incidents are being fetched.
Cortex XSOAR instance logs showing incident fetch activity for SpecterOpsBHE integration.

View incidents

Open the Incidents view to see all fetched attack path incidents.
Click any incident to open its details.
Cortex XSOAR Incidents list showing SpecterOpsBHE attack path incidents.

Incident details

The incident details page includes key information about the attack path and related context:
  • Incident name and ID
  • Case details
  • Quick View side panel with labels containing attack path data
Incident details view showing case details and Quick View labels for attack path data.

Work Plan and playbook

Click the Work Plan tab to view the playbook. The SpecterOpsBHE playbook runs custom commands to retrieve object-related information and analyze attack paths. You can click each task or script to view its results.
Work Plan view showing the playbook tasks and scripts executed for the incident.

DBot panel

Use the DBot panel to review execution context and results. Locate the root section and expand it to see underlying data and command outputs related to the incident.
DBot panel expanded to show root context and command outputs for the incident.