Skip to main content
Applies to BloodHound Enterprise only The Security Incident Response (SIR) integration for BloodHound Enterprise supports the following use cases:
  • Create SIR ticketing workflows for BloodHound Enterprise attack path findings
  • Integrate BloodHound Enterprise attack path findings into existing ticketing workflows
  • Monitor identity vulnerabilities over time

Prerequisites

Before you begin the installation and configuration process, ensure the following prerequisites are met:

Install the application

Installing the BloodHound Enterprise app on ServiceNow involves the following steps:
1

Log in to ServiceNow

  1. Log in to your ServiceNow instance as an admin.
  2. Click System Applications > All Available Applications > All.
2

Search the ServiceNow Store

  1. In the search bar, enter SpecterOps BloodHound to find the app.
  2. Select the app from the search results.
3

Install the app

  1. Click Install to install the app on your ServiceNow instance.
  2. Follow the prompts to complete the installation.

Create an application user

The integration requires creating a user and assigning the role.
1

Create a new user

The integration runs on behalf of the user account that you create in this step. It should be a dedicated service account associated with the non-personal API key/ID pair you created in BloodHound Enterprise.
  1. Click All > User Administration > Users.
  2. Click New.
  3. Enter required user details.
  4. Click Submit.
2

Assign the required role

The user must have the role to perform necessary actions, such as creating and updating ServiceNow tickets.
  1. In the Roles related list, click Edit.
  2. In the Collection list, select the role and click Add.
  3. Click Save.

Configure the application

The integration provides a guided setup experience to connect to BloodHound Enterprise, filter attack path types, configure field mapping, and set the import schedule. Follow the steps below to complete the configuration.
1

Change application scope

Before starting the configuration, change the application scope to to ensure that you have access to all necessary components and configurations.
  1. Click the (globe) icon in the top-right corner and select Application Scope.
  2. In the search filter, enter and select it.
2

Connect to BloodHound Enterprise

The first step in the guided setup is to connect to your BloodHound Enterprise tenant by providing the tenant URL and API credentials.
  1. In the top-left corner of ServiceNow, click All.
  2. In the search box, enter and select .
  3. Click Get Started in the Connect to SpecterOps BloodHound section to start the configuration process.
  4. Click Configure.
  5. Click New to add credentials.
  6. Enter your BloodHound Enterprise tenant URL, token key, and token ID and click Submit. The token key and ID refer to the non-personal API key/ID pair you created in BloodHound Enterprise. The tenant URL is the URL you use to access your BloodHound Enterprise tenant.
  7. Click the (close) icon.
  8. Click Mark as Complete to proceed to the next configuration step.
3

Filter attack path types

Next, configure filters to specify which attack path findings should create ServiceNow tickets. You can filter by environment and attack type to control the scope of findings that generate incidents.
  1. Click Get Started in the Filter Attack Path Types section.
  2. Click Configure to select environments.
  3. Click New.
  4. Click the (lock) icon to select a single environment.
    Alternatively, click the Select All Environments checkbox to indiscriminately select all environments.
  5. After clicking the (lock) icon, click the (search) icon to display a list of available environments.
  6. Click an environment to select it.
    You must repeat steps 4-6 for each environment that you want to include.
  7. After selecting all required environments, click Submit.
  8. Click the (close) icon.
  9. Click Mark as Complete.
  10. Scroll down the page to the Filter Configuration section and click Configure.
  11. Click an environment to update the default configuration.
  12. Edit the fields as required.
  13. Click the Select All Attack Types checkbox to update finding types.
  14. Click Update to save the configuration.
  15. Click the (close) icon.
  16. Click Mark as Complete.
4

Configure field mapping

Field mapping allows you to specify how BloodHound Enterprise attack path finding fields map to ServiceNow SIR ticket fields. You can use the default mapping or customize it as needed.
  1. Click Get Started in the SpecterOps to ServiceNow Field Mapping section.
    A view of the ServiceNow user interface showing the process of getting started with field mapping.
  2. Click Configure to review the mapping. Update it if necessary, or use the default mapping.
    A view of the ServiceNow user interface showing the default field mapping.
    The following table describes the default field mapping:
    SpecterOps BloodHound FieldsServiceNow SIR Fields
    idcorrelation id
    composite riskrisk score
    description + remediationdescription
    domain name + title + idshort description
    from principalcontact type
    server urlexternal url
  3. Click the (close) icon.
  4. Click Mark as Complete.
5

Configure import schedule

The final step in the guided setup is to configure the import schedule to specify how often the integration should fetch attack path findings from BloodHound Enterprise and create ServiceNow tickets.
  1. Click Get Started in the Configure Import Schedule section.
  2. Click Configure to schedule an import.
  3. Click the Run dropdown menu and select one of the available options.
  4. Enter frequency details and click Update.
    You can also click Execute Now to run the import immediately.
  5. Click the (close) icon.
  6. Click Mark as Complete.
The configuration is now complete. The integration will start fetching attack path findings from BloodHound Enterprise based on the configured schedule and create ServiceNow tickets accordingly.

Next steps

View and manage SIR tickets created from BloodHound Enterprise attack path findings in ServiceNow.