Applies to BloodHound Enterprise only The BloodHound Enterprise Splunk app ingests your BloodHound Enterprise data into Splunk.
  • Use the dashboards to track the Active Directory and Azure attack paths of your environment
  • Create alerts to detect when new attack paths emerge or exposure increases
  • Enrich your SIEM data with information about the attack paths to and from principals
Note: Version 2.0+ introduces ingest of BHE Audit Log data. To successfully ingest this data the BHE API user must be assigned the ‘Administrator’ role in BHE.

Installation

  1. Log into your Splunk installation and click on the Find More Apps button.
  1. Search for “BloodHound Enterprise” and hit Enter. The first result should be the app.
  1. Click Install. If not already logged in, you will be prompted for your Splunk.com username and password.
  1. After installation completes, click Open the App.
  1. The App will prompt you to configure itself. Click Continue to the app setup page.
  1. If you have not already, create an API key/ID pair, following Create a non-personal API Key/ID pair
    • The API user must at least have the read-only role. The Administrator role is required to collect BloodHound Enterprise audit logs.
  2. In the setup screen, enter your BloodHound Enterprise domain name (CODENAME.bloodhoundenterprise.io), the API key/ID pair you created and click Submit Please note the warning—the initial collection can take some time, particularly for longer-term BloodHound Enterprise customers.

Create Index (Splunk cloud only)

The index “bhe-splunk-app” will be created automatically if running Splunk on-prem.
  1. In Splunk Web, go to Settings > Indexes.
  2. On the Indexes page, click New Index.
  3. On the New Index page, in the Index Name field, enter “bhe-splunk-app”.
  4. Click Save.

Enable Data Input

  1. In Splunk Web, go to Settings > Data inputs.
  1. Scroll down, locate, and click on BloodHound Enterprise.
  1. Click Enable to enable the data input.
Data will now begin flowing into the environment. You can monitor this progress through Splunk itself with the following query: 
index=_internal source="*splunkd.log" "BHE "

Customize Index

  1. Update Data Input
    1. In Splunk Web, go to Settings -> Data Inputs
    2. Click BloodHound Enterprise
    3. Click Input
    4. Click More Settings & select preferred index from the drop-down.
    5. Click Save
  2. Update Search Macro
    1. In Splunk Web, go to Settings -> Advanced Search
    2. Click Search Macros
    3. For App, Select BloodHound Enterprise
    4. Click bhe_index
    5. Update the Definition to match the custom index name. Example: index=<custom index name>
    6. Click Save