Skip to main content
Applies to BloodHound Enterprise only After you complete the installation and configuration, Google SecOps begins receiving BloodHound Enterprise Attack Path data through the connector. This page explains how that data is organized and how analysts can work with it during an investigation.

Understand the investigation structure

The integration organizes BloodHound Enterprise findings into Google SecOps cases, alerts, and events.
ObjectPurpose
CaseGroups related BloodHound Enterprise findings for investigation. With alert grouping configured, Google SecOps groups related alerts into one case per source domain.
AlertRepresents a unique BloodHound Enterprise finding or path title within a case.
EventCaptures an individual Attack Path occurrence and its supporting details, such as the involved nodes and object IDs.

Review cases, alerts, and events

Use the following workflow to inspect the findings created by the connector.
1

Open the Cases page

With alert grouping configured, a case is created for each unique domain. The case contains alerts for each distinct BloodHound Enterprise finding or path title, and the events under those alerts capture the details of each Attack Path occurrence.
  1. Open your Google SecOps dashboard.
  2. Select Cases from the navigation menu.
  3. Review the list of cases created by the BloodHound Enterprise connector.
2

Inspect alerts in a case

Each alert corresponds to a distinct BloodHound Enterprise finding or path title.
  1. Open a case for the domain that you want to investigate.
  2. Review the alerts in that case.
    Google SecOps case showing alerts generated from BloodHound Enterprise findings.
3

Inspect events in an alert

Event details include the step-by-step path traversal and identifiers such as object_id.
  1. Open an alert in the case.
  2. Review the events listed under that alert.
    Google SecOps alert showing the events generated for a BloodHound Enterprise finding.
  3. Double-click an event to open the full Attack Path details.
    Google SecOps event details view showing Attack Path traversal data.

Work with playbooks

The BloodHound Attack Path Alerts Playbook can run against generated cases. You can also create your own playbook if you want to extend the workflow in Google SecOps.
Google SecOps playbook tab for a generated BloodHound Enterprise case.
1

Create a custom playbook

  1. Go to Response > Playbooks.
  2. Click the add (+) icon.
    Google SecOps Playbooks page showing the add icon.
  3. Select Playbook as the type and click Create.
    Google SecOps dialog for selecting Playbook as the item type.
  4. Build the custom playbook by adding components from Actions, Triggers, Blocks, and Flows.
    Google SecOps playbook editor showing available actions, triggers, blocks, and flows.
2

Review playbook results

After Google SecOps creates the cases, one playbook runs for each case.The following example shows the consolidated playbook results for one case.
Playbook results for a generated BloodHound Enterprise case in Google SecOps.

Run BloodHound Enterprise actions

The integration includes on-demand actions that help analysts enrich investigations with data from BloodHound Enterprise.
ActionDescription
PingVerifies connectivity to the BloodHound Enterprise server.
Get Object IdRetrieves the object ID for a named node, such as a user, group, or computer.
Does Path ExistChecks whether a shortest path exists between two specified nodes in the BloodHound Enterprise graph.
Fetch AssetsRetrieves detailed information about an asset based on its object ID.
Path Does Not ExistLogs that no shortest path exists between the specified nodes.