> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.
# API and Integrations
> Leverage BloodHound's REST API and third-party integrations to extend functionality and maximize your security infrastructure investments.
export const SO_Icon = ({size = 20}) => {
return ;
};
## BloodHound API
BloodHound Enterprise includes a REST API that allows you to programmatically interact with your BloodHound data and automate various tasks.
## BloodHound Integrations
SpecterOps is built on community. Our strategic integrations enable BloodHound Enterprise customers to extend identity Attack Path Management to proactively secure and manage their Active Directory, Entra ID, and hybrid environments and respond faster to threats.
The sections below describe officially supported integrations, third-party integrations, and community-developed integrations.
### Supported integrations
The following integrations are officially supported by SpecterOps.
The Axonius integration enables Axonius users to fetch and catalog users and devices from BloodHound Enterprise, providing visibility into identity relationships and potential attack paths.
| | |
| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Supported actions** | Fetch BloodHound Enterprise Attack Path Details:
All Tier Zero Assets
All Computer Admin Users
All Users with RDP Access
Assets by Attack Path
Only Enabled Users
|
| **Common use cases** |
Identify which identities hold administrative or privileged access rights within the environment.
Discover users who hold administrative or privileged access rights within the environment, and any associated devices where that user has admin rights.
Identify devices and assets that are within an attack path.
|
| **Integration instructions** | Configure the Axonius adapter for BloodHound |
The BloodHound Enterprise integration for Cortex XSOAR lets you ingest and manage BloodHound Enterprise attack path findings in Cortex XSOAR as incidents.
| | |
| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Supported actions** |
Attach remediation guidance and posture context to incidents.
Run playbooks and custom commands to analyze, triage, and remediate findings.
|
| **Common use cases** |
Automated incident creation with titles, descriptions, remediation guidance, impact/exposure metrics, severity, and domain/environment context.
Playbook linking per incident to run custom analysis commands.
|
| **Custom commands** |
Object ID lookup by name.
Asset information by object ID.
Path analysis between two nodes in the BloodHound graph.
|
| **Integration instructions** | Configure the Cortex XSOAR integration |
The BHE Splunk SIEM App enables customers to ingest Path, Posture, and Impacted Principals data into Splunk. The app also includes pre-built dashboards and alerts for Exposure, Path Details, and Impacted Principals.
| | |
| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Supported actions** |
Ability to ingest Attack Path Finding Details.
Pull information related to an asset from the API.
Use BloodHound Enterprise data to examine a path between two objects.
|
| **Common use cases** |
Use the dashboards to track and report on Active Directory and Azure attack paths in your environment and exposure over time.
Create alerts to detect when new attack paths emerge, or your exposure increases.
Enrich your SIEM with BloodHound Enterprise's Attack Path details.
|
| **Integration instructions** | Integrate BloodHound Enterprise with Splunk |
The BloodHound Enterprise Splunk SOAR integration includes the ability to pull findings into a SplunkSOAR environment, as well as to enrich alerts from other platforms via data from BloodHound Enterprise.
| | |
| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Supported actions** | Pull findings from BloodHound Enterprise attack paths. |
| **Common use cases** |
Enrich existing alerts with BloodHound Enterprise attack path findings and object descriptions.
Receive alerts for increases to attack paths, tier zero assets, and domain exposure.
Enable defenders to see all attack path findings from BloodHound as Splunk SOAR events.
Leverage BloodHound Enterprise findings to remediate and remove attack paths.
|
| **Integration instructions** | Integrate BloodHound Enterprise with Splunk SOAR |
| **FedRAMP** | Yes |
The BloodHound Enterprise ServiceNow integration provides the ability to generate tickets to track and monitor vulnerabilities within environments, as identified by BloodHound Enterprise.
| | |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Supported actions |
Integration with ServiceNow's Security Incident Response (SIR) module.
Ability to generate tickets to track and monitor vulnerabilities within their environments, as identified by BloodHound Enterprise.
|
| Common use cases |
Create ticketing workflows for attack path resolution.
Monitor identity vulnerabilities over time.
Allow integration of BloodHound Enterprise findings and remediation tasks into existing ServiceNow SIR workflows.
|
| Integration instructions | ServiceNow integration instructions |
| FedRAMP | Yes |
| Supplemental information | YouTube video |
The Vulnerability Response (VR) integration for BloodHound Enterprise enables organizations to seamlessly connect their BloodHound Enterprise tenant with ServiceNow's Vulnerability Response capabilities, providing automated vulnerable item creation and management based on attack path findings.
| | |
| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Supported actions |
Integrate with ServiceNow's Vulnerability Response (VR) framework.
Use a guided setup wizard for streamlined configuration.
Support multiple environments with configurable filtering.
Synchronize data with the BloodHound API in real time.
Visualize findings in ServiceNow's Vulnerability Manager Workspace.
Run scheduled and on-demand data imports.
|
| Common use cases |
Reduce attack surface by identifying critical Active Directory vulnerabilities.
Prioritize remediation based on exploitability.
Centralize security management within ServiceNow.
Automate vulnerability tracking and reporting.
Use attack path analysis to support remediation decisions.
|
| Integration instructions | ServiceNow VR integration instructions |
### Third-party integrations
The following integrations are developed by third-party vendors and are not officially supported by SpecterOps.
Add two-factor authentication and flexible security policies to BloodHound Enterprise SAML 2.0 logins with Duo Single Sign-On. Our cloud-hosted SSO identity provider offers inline user enrollment, self-service device management, and support for a variety of authentication methods — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Universal Prompt.
| | |
| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Supported actions** |
Duo SSO prompts users for two-factor authentication and performs endpoint assessment and verification before permitting access to BloodHound Enterprise.
Define policies that enforce unique controls for accessing BloodHound Enterprise.
|
| **Common use cases** | Provides an additional layer of security for users accessing the BloodHound Enterprise platform. |
| **Integration instructions** | Configure single sign-on |
| **FedRAMP** | Yes |
Integrating with SpecterOps BloodHound Enterprise helps you reduce the risk of attacks by enabling you to easily identify, prioritize, and eliminate the most vital avenues that attackers can exploit.
| | |
| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Supported actions** |
Quest OnDemand Audit ingests BloodHound Enterprise's defined Tier Zero assets.
Identify all critical Tier Zero assets via BloodHound Enterprise and automatically monitor them for suspicious activity through integration with OnDemand Audit.
Leverage OnDemand Audit's detailed user activity history to inspect BloodHound Enterprise's attack path edges before removing access to a path, ensuring there are no unexpected consequences to remediation.
Create alert-enabled searches for historical changes to Tier Zero objects to ensure real-time monitoring of critical assets.
|
| **Integration instructions** |
To integrate BloodHound Enterprise with Quest OnDemand Audit, use the link below.
|
| **FedRAMP** | No |
| **Supplemental information** |
Built-in BloodHound Tier Zero asset searches.
Monitoring audit health status.
|
### Community integrations
The following integrations are developed by the BloodHound community and are not officially supported by SpecterOps.
by @RantaSec
by @falconforceteam
by @Eli4m
Please share your integrations with us in the [BloodHound Gang community Slack](/resources/community-support/getting-help).