SpecterOps is built on community. Our strategic integrations enable BloodHound Enterprise customers to extend identity to proactively secure and manage their Active Directory, Entra ID, and hybrid environments and respond faster to threats.The sections below describe officially supported integrations, third-party integrations, and community-developed integrations.
The following integrations are officially supported by SpecterOps.
Axonius
The Axonius integration enables Axonius users to fetch and catalog users and devices from BloodHound Enterprise, providing visibility into identity relationships and potential attack paths.
Supported actions
Fetch BloodHound Enterprise Attack Path Details:
All Tier Zero Assets
All Computer Admin Users
All Users with RDP Access
Assets by Attack Path
Only Enabled Users
Common use cases
Identify which identities hold administrative or privileged access rights within the environment.
Discover users who hold administrative or privileged access rights within the environment, and any associated devices where that user has admin rights.
Identify devices and assets that are within an attack path.
The BloodHound Enterprise integration for Cortex XSOAR lets you ingest and manage BloodHound Enterprise attack path findings in Cortex XSOAR as incidents.
The BHE Splunk SIEM App enables customers to ingest Path, Posture, and Impacted Principals data into Splunk. The app also includes pre-built dashboards and alerts for Exposure, Path Details, and Impacted Principals.
Supported actions
Ability to ingest Attack Path Finding Details.
Pull information related to an asset from the API.
Use BloodHound Enterprise data to examine a path between two objects.
Common use cases
Use the dashboards to track and report on Active Directory and Azure attack paths in your environment and exposure over time.
Create alerts to detect when new attack paths emerge, or your exposure increases.
Enrich your SIEM with BloodHound Enterprise’s Attack Path details.
The BloodHound Enterprise Splunk SOAR integration includes the ability to pull findings into a SplunkSOAR environment, as well as to enrich alerts from other platforms via data from BloodHound Enterprise.
Supported actions
Pull findings from BloodHound Enterprise attack paths.
Common use cases
Enrich existing alerts with BloodHound Enterprise attack path findings and object descriptions.
Receive alerts for increases to attack paths, tier zero assets, and domain exposure.
Enable defenders to see all attack path findings from BloodHound as Splunk SOAR events.
Leverage BloodHound Enterprise findings to remediate and remove attack paths.
The BloodHound Enterprise ServiceNow integration provides the ability to generate tickets to track and monitor vulnerabilities within environments, as identified by BloodHound Enterprise.
Supported actions
Integration with ServiceNow’s Security Incident Response (SIR) module.
Ability to generate tickets to track and monitor vulnerabilities within their environments, as identified by BloodHound Enterprise.
Common use cases
Create ticketing workflows for attack path resolution.
Monitor identity vulnerabilities over time.
Allow integration of BloodHound Enterprise findings and remediation tasks into existing ServiceNow SIR workflows.
The Vulnerability Response (VR) integration for BloodHound Enterprise enables organizations to seamlessly connect their BloodHound Enterprise tenant with ServiceNow’s Vulnerability Response capabilities, providing automated vulnerable item creation and management based on attack path findings.
The following integrations are developed by third-party vendors and are not officially supported by SpecterOps.
Cisco Duo
Add two-factor authentication and flexible security policies to BloodHound Enterprise SAML 2.0 logins with Duo Single Sign-On. Our cloud-hosted SSO identity provider offers inline user enrollment, self-service device management, and support for a variety of authentication methods — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Universal Prompt.
Supported actions
Duo SSO prompts users for two-factor authentication and performs endpoint assessment and verification before permitting access to BloodHound Enterprise.
Define policies that enforce unique controls for accessing BloodHound Enterprise.
Common use cases
Provides an additional layer of security for users accessing the BloodHound Enterprise platform.
Integrating with SpecterOps BloodHound Enterprise helps you reduce the risk of attacks by enabling you to easily identify, prioritize, and eliminate the most vital avenues that attackers can exploit.
Supported actions
Quest OnDemand Audit ingests BloodHound Enterprise’s defined Tier Zero assets.
Identify all critical Tier Zero assets via BloodHound Enterprise and automatically monitor them for suspicious activity through integration with OnDemand Audit.
Leverage OnDemand Audit’s detailed user activity history to inspect BloodHound Enterprise’s attack path edges before removing access to a path, ensuring there are no unexpected consequences to remediation.
Create alert-enabled searches for historical changes to Tier Zero objects to ensure real-time monitoring of critical assets.
Integration instructions
To integrate BloodHound Enterprise with Quest OnDemand Audit, use the link below.
