Skip to main content
Applies to BloodHound Enterprise only The BloodHound Enterprise integration for Google SecOps lets you ingest Attack Path findings into Google SecOps so analysts can investigate and respond without leaving the platform. This guide shows you how to install the integration from the Google Marketplace, configure the integration instance, and enable the connector that creates cases, alerts, and events. Use this integration to:
  • Create Google SecOps cases from BloodHound Enterprise Attack Path findings
  • Investigate findings with BloodHound Enterprise asset lookup and path validation actions
  • Group related alerts by source domain to keep investigations organized

Prerequisites

Before you begin, ensure that you have the following:

Install and configure the integration

Install the integration instance in Google SecOps and connect it to your BloodHound Enterprise tenant.
1

Install the integration

  1. Log in to your Google SecOps tenant with an account that has permission to install integrations.
  2. Go to Content Hub > Response Integrations.
  3. Search for BloodHound Enterprise - Google SecOps.
  4. Click Install.
  5. Click Configure.
2

Enter BloodHound Enterprise connection details

Configure the required fields for the integration instance:
FieldDescription
BloodHound Enterprise ServerThe URL of your BloodHound Enterprise tenant
Token IDThe API token ID used to authenticate requests
Token KeyThe API token key used to sign and authorize requests
Save the configuration after you enter the required values.
BloodHound Enterprise - Google SecOps integration configuration form.
3

Verify the integration configuration

  1. Click Test to validate the server URL and API credentials.
  2. Confirm that the test succeeds before you continue.
    Successful integration test result in Google SecOps.
    A successful test confirms that Google SecOps can connect to the BloodHound Enterprise API with the supplied credentials.If the test fails, review the error message and confirm that the server URL, token ID, and token key are correct. You can also refer to the troubleshooting guide for more help diagnosing common issues.

Configure the connector

The connector retrieves Attack Path findings from BloodHound Enterprise and creates the corresponding cases, alerts, and events in Google SecOps.
You can manually trigger the connector to run a one-time ingestion of BloodHound Enterprise findings, or you can enable it to run on a schedule.
1

Create the connector

  1. Go to Settings > SOAR Settings > Ingestion > Connector.
  2. Click Create New Connector.
  3. Select the BloodHound Enterprise connector that you want to configure.
2

Configure connector parameters

  1. Open the Parameter tab.
  2. Enter the required values for the connector.
    FieldDescription
    BloodHound Enterprise ServerThe URL of your BloodHound Enterprise tenant
    Token IDThe API token ID used for authentication
    Token KeyThe API token key used to sign requests
    Selected BloodHound EnvironmentsThe BloodHound Enterprise environments that the connector should query
    Selected Finding TypesThe Attack Path finding categories that the connector should ingest
    Run EveryThe interval at which the connector polls BloodHound Enterprise
    Product Field NameThe source field name that Google SecOps should use for the product value
    Event Field NameThe source field name that Google SecOps should use for the event value
    BloodHound connector Parameter tab in Google SecOps.
3

Test the connector

The connector test validates connectivity, connector logic, and the required parameter values without requiring you to enable the connector first.
  1. Open the Testing tab.
  2. Click Test Connector to run a one-time execution.
  3. Review the generated alerts and the debug logs.
  4. Click Log to System if you want to create cases from the generated test alerts.
    Connector Testing tab showing the Test Connector action.
4

Enable the connector and logging

  1. Enable the toggle for Attack Paths Alert.
    Connector page after the connector is enabled.
  2. Open the Logs tab.
  3. Enable the Log Connection toggle if logging is not already enabled.
    Connector logs showing generated alerts.
  4. Confirm in the logs that alerts are created successfully.
    Connector Logs tab showing the Log Connection toggle.
  5. Open the Cases page to review the resulting cases, alerts, and events.

Map and model alerts

Alerts are not mapped and modeled by default. Configure field mappings before you move the integration into regular analyst workflows.
1

Open Mapping and Modeling

Open the Google SecOps settings menu and select Mapping and Modeling.
2

Select the mapping family

For this example, use the Default family to classify alerts under a predefined set of rules.
  1. Choose the Default family.
  2. Open the Visualization tab.
    Google SecOps Mapping and Modeling page with the Default family selected.
3

Map the required fields

Map the incoming alert fields to the corresponding event fields.
  1. Ensure that StartTime and EndTime are configured correctly. These fields are crucial for defining the time frame of the events.
  2. Save the mapping configuration.
  3. Test the mapping with sample alerts before you use it in production.
    Visualization tab showing alert field mappings in Google SecOps.

Configure alert grouping

Configure alert grouping so Google SecOps groups related BloodHound Enterprise alerts into one case per source domain. Grouping alerts from the same domain into a single case allows for:
  • Easier investigation and triage
  • Clear, organized case structures
  • Domain-specific incident visibility
  • Scalable response workflows
1

Create an alert grouping rule

  1. Go to SOAR Settings > Advanced > Alert Grouping.
  2. Click Add Rule.
  3. Configure the rule with the following values:
    SettingValue
    CategoryData Source
    ValueBloodHound Enterprise - Google SecOps
    Group ByEntities
    Grouping EntitySourceDomain
    Save the rule after you enter the values.
    Alert grouping rule configuration for the BloodHound Enterprise - Google SecOps integration.
With this rule in place, Google SecOps groups all alerts for the same source domain into a single case, up to the platform’s case and event limits.

Next steps

After the connector is running, use cases and alerts in Google SecOps to investigate BloodHound Enterprise findings.
For help resolving issues, see troubleshoot common issues.