Skip to main content

BloodHound API

BloodHound Enterprise includes a REST API that allows you to programmatically interact with your BloodHound data and automate various tasks.

BloodHound JSON Formats

Work With the BloodHound API

BloodHound Python SDK

BloodHound Integrations

SpecterOps is built on community. Our strategic integrations enable BloodHound Enterprise customers to extend identity to proactively secure and manage their Active Directory, Entra ID, and hybrid environments and respond faster to threats. The sections below describe officially supported integrations, third-party integrations, and community-developed integrations.

Supported integrations

The following integrations are officially supported by SpecterOps.

Axonius

The Axonius integration enables Axonius users to fetch and catalog users and devices from BloodHound Enterprise, providing visibility into identity relationships and potential attack paths.
Supported actionsFetch BloodHound Enterprise Attack Path Details:
  • All Tier Zero Assets
  • All Computer Admin Users
  • All Users with RDP Access
  • Assets by Attack Path
  • Only Enabled Users
Common use cases
  • Identify which identities hold administrative or privileged access rights within the environment.
  • Discover users who hold administrative or privileged access rights within the environment, and any associated devices where that user has admin rights.
  • Identify devices and assets that are within an attack path.
Integration instructionsConfigure the Axonius adapter for BloodHound

AzureHound Managed Application

Collect Azure and Entra ID via a managed application for use in BloodHound Enterprise. This is an alternative data collection method to AzureHound.
See the AzureHound system requirements for comparison.
Supported actionsThis application uses a managed identity versus username/password or certificate-based authentication to collect data from Azure Graph APIs, Azure Resource Manager, and Entra ID.

This data is used to map and manage identity attack paths within an Azure tenant through BloodHound Enterprise.
Installation instructionsAzureHound Managed Application on Microsoft Marketplace

Palo Alto XSOAR

The BloodHound Enterprise integration for Cortex XSOAR lets you ingest and manage BloodHound Enterprise attack path findings in Cortex XSOAR as incidents.
Supported actions
  • Automatically convert BloodHound Enterprise attack path findings into Cortex XSOAR incidents.
  • Attach remediation guidance and posture context to incidents.
  • Run playbooks and custom commands to analyze, triage, and remediate findings.
Common use cases
  • Automated incident creation with titles, descriptions, remediation guidance, impact/exposure metrics, severity, and domain/environment context.
  • Playbook linking per incident to run custom analysis commands.
Custom commands
  • Object ID lookup by name.
  • Asset information by object ID.
  • Path analysis between two nodes in the BloodHound graph.
Integration instructionsConfigure the Cortex XSOAR integration

Splunk SIEM

The BHE Splunk SIEM App enables customers to ingest Path, Posture, and Impacted Principals data into Splunk. The app also includes pre-built dashboards and alerts for Exposure, Path Details, and Impacted Principals.
Supported actions
  • Ability to ingest Attack Path Finding Details.
  • Pull information related to an asset from the API.
  • Use BloodHound Enterprise data to examine a path between two objects.
Common use cases
  • Use the dashboards to track and report on Active Directory and Azure attack paths in your environment and exposure over time.
  • Create alerts to detect when new attack paths emerge, or your exposure increases.
  • Enrich your SIEM with BloodHound Enterprise’s Attack Path details.
Integration instructionsIntegrate BloodHound Enterprise with Splunk

Splunk SOAR

The BloodHound Enterprise Splunk SOAR integration includes the ability to pull findings into a SplunkSOAR environment, as well as to enrich alerts from other platforms via data from BloodHound Enterprise.
Supported actionsPull findings from BloodHound Enterprise attack paths.
Common use cases
  • Enrich existing alerts with BloodHound Enterprise attack path findings and object descriptions.
  • Receive alerts for increases to attack paths, tier zero assets, and domain exposure.
  • Enable defenders to see all attack path findings from BloodHound as Splunk SOAR events.
  • Leverage BloodHound Enterprise findings to remediate and remove attack paths.
Integration instructionsIntegrate BloodHound Enterprise with Splunk SOAR
FedRAMPYes

ServiceNow (SIR)

The BloodHound Enterprise ServiceNow integration provides the ability to generate tickets to track and monitor vulnerabilities within environments, as identified by BloodHound Enterprise.
Supported actions
  • Integration with ServiceNow’s Security Incident Response (SIR) module.
  • Ability to generate tickets to track and monitor vulnerabilities within their environments, as identified by BloodHound Enterprise.
Common use cases
  • Create ticketing workflows for attack path resolution.
  • Monitor identity vulnerabilities over time.
  • Allow integration of BloodHound Enterprise findings and remediation tasks into existing ServiceNow SIR workflows.
Integration instructionsServiceNow integration instructions
FedRAMPYes
Supplemental informationYouTube video

ServiceNow (VR)

The Vulnerability Response (VR) integration for BloodHound Enterprise enables organizations to seamlessly connect their BloodHound Enterprise tenant with ServiceNow’s Vulnerability Response capabilities, providing automated vulnerable item creation and management based on attack path findings.
Supported actions
  • Automatically import BloodHound Enterprise attack path findings.
  • Integrate with ServiceNow’s Vulnerability Response (VR) framework.
  • Use a guided setup wizard for streamlined configuration.
  • Support multiple environments with configurable filtering.
  • Synchronize data with the BloodHound API in real time.
  • Visualize findings in ServiceNow’s Vulnerability Manager Workspace.
  • Run scheduled and on-demand data imports.
Common use cases
  • Reduce attack surface by identifying critical Active Directory vulnerabilities.
  • Prioritize remediation based on exploitability.
  • Centralize security management within ServiceNow.
  • Automate vulnerability tracking and reporting.
  • Use attack path analysis to support remediation decisions.
Integration instructionsServiceNow VR integration instructions

Third-party integrations

The following integrations are developed by third-party vendors and are not officially supported by SpecterOps.

Cisco Duo

Add two-factor authentication and flexible security policies to BloodHound Enterprise SAML 2.0 logins with Duo Single Sign-On. Our cloud-hosted SSO identity provider offers inline user enrollment, self-service device management, and support for a variety of authentication methods — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Universal Prompt.
Supported actions
  • Duo SSO prompts users for two-factor authentication and performs endpoint assessment and verification before permitting access to BloodHound Enterprise.
  • Define policies that enforce unique controls for accessing BloodHound Enterprise.
Common use casesProvides an additional layer of security for users accessing the BloodHound Enterprise platform.
Integration instructionsConfigure single sign-on
FedRAMPYes

Quest On Demand Audit

Integrating with SpecterOps BloodHound Enterprise helps you reduce the risk of attacks by enabling you to easily identify, prioritize, and eliminate the most vital avenues that attackers can exploit.
Supported actions
  • Quest OnDemand Audit ingests BloodHound Enterprise’s defined Tier Zero assets.
  • Quest OnDemand Audit ingests BloodHound Enterprise’s attack path edge data.
Common use cases
  • Identify all critical Tier Zero assets via BloodHound Enterprise and automatically monitor them for suspicious activity through integration with OnDemand Audit.
  • Leverage OnDemand Audit’s detailed user activity history to inspect BloodHound Enterprise’s attack path edges before removing access to a path, ensuring there are no unexpected consequences to remediation.
  • Create alert-enabled searches for historical changes to Tier Zero objects to ensure real-time monitoring of critical assets.
Integration instructions
FedRAMPNo
Supplemental information
  • Built-in BloodHound Tier Zero asset searches.
  • Monitoring audit health status.

Community integrations

The following integrations are developed by the BloodHound community and are not officially supported by SpecterOps.

wineventhound

by @RantaSec

FalconHound

by @falconforceteam

ServiceHound

by @Eli4m
Please share your integrations with us in the BloodHound Gang community Slack.