Skip to main content
Applies to BloodHound Enterprise only The Vulnerability Response (VR) integration for BloodHound Enterprise enables organizations to seamlessly connect their BloodHound Enterprise tenant with ServiceNow’s Vulnerability Response capabilities, providing automated vulnerable item creation and management based on attack path findings.

Prerequisites

Before you begin the installation and configuration process, ensure the following prerequisites are met:
TypeRequirements
System
Network
  • Network connectivity between the ServiceNow instance and BloodHound Enterprise API endpoints
  • Outbound HTTPS (port 443) access from ServiceNow to your BloodHound tenant
  • Proper firewall configurations to allow API communications
Knowledge
  • Basic understanding of ServiceNow administration
  • Familiarity with the BloodHound Enterprise platform
  • Knowledge of API integrations and security best practices

Install the ServiceNow app

Installing the BloodHound Enterprise app on ServiceNow involves the following steps:
1

Log in to ServiceNow

  1. Log in to your ServiceNow instance as an admin.
  2. Click System Applications > All Available Applications > All.
2

Search the ServiceNow Store

  1. In the search bar, enter SpecterOps BloodHound to find the app.
  2. Select the app from the search results.
3

Install the app

  1. Click Install to install the app on your ServiceNow instance.
  2. Follow the prompts to complete the installation.

Create an application user

The integration requires creating a user and assigning the role.
1

Create a new user

The integration runs on behalf of the user account that you create in this step. It should be a dedicated service account associated with the non-personal API key/ID pair you created in BloodHound Enterprise.
  1. Click All > User Administration > Users.
  2. Click New.
  3. Enter required user details.
  4. Click Submit.
2

Assign the required role

The user must have the role to perform necessary actions, such as creating and updating ServiceNow tickets.
  1. In the Roles related list, click Edit.
  2. In the Collection list, select the role and click Add.
  3. Click Save.

Configure the application

The integration provides a guided setup experience to connect your ServiceNow instance to BloodHound Enterprise, filter attack path types, and schedule imports. Follow the steps below to complete the configuration.
1

Change application scope

Before starting the configuration, change the application scope to to ensure that you have access to all necessary components and configurations.
  1. Click the (globe) icon in the top-right corner and select Application Scope.
  2. In the search filter, enter and select it.
2

Connect to BloodHound Enterprise

The first step in the guided setup is to connect to your BloodHound Enterprise tenant by providing the tenant URL and API credentials.
  1. In the top-left corner of ServiceNow, click All.
  2. In the search box, enter and select .
  3. Click Get Started in the Connect to SpecterOps BloodHound section to start the configuration process.
  4. Click Configure.
  5. Click New to add credentials.
  6. Enter your BloodHound Enterprise tenant URL, token key, and token ID and click Submit. The token key and ID refer to the non-personal API key/ID pair you created in BloodHound Enterprise. The tenant URL is the URL you use to access your BloodHound Enterprise tenant.
  7. Click the (close) icon.
  8. Click Mark as Complete to proceed to the next configuration step.
3

Filter attack path types

Next, configure filters to specify which attack path findings should create ServiceNow tickets. You can filter by environment and attack type to control the scope of findings that generate incidents.
  1. Click Get Started in the Filter Attack Path Types section.
  2. Click Configure to select environments.
  3. Click New.
  4. Click the (lock) icon to select a single environment.
    Alternatively, click the Select All Environments checkbox to indiscriminately select all environments.
  5. After clicking the (lock) icon, click the (search) icon to display a list of available environments.
  6. Click an environment to select it.
    You must repeat steps 4-6 for each environment that you want to include.
  7. After selecting all required environments, click Submit.
  8. Click the (close) icon.
  9. Click Mark as Complete.
  10. Scroll down the page to the Filter Configuration section and click Configure.
  11. Click an environment to update the default configuration.
  12. Edit the fields as required.
  13. Click the Select All Attack Types checkbox to update finding types.
  14. Click Update to save the configuration.
  15. Click the (close) icon.
  16. Click Mark as Complete.
4

Configure import schedule

The final step in the guided setup is to configure the import schedule to specify how often the integration should fetch attack path findings from BloodHound Enterprise and create ServiceNow tickets.
  1. Click Get Started in the Configure Import Schedule section.
  2. Click Configure to schedule an import.
  3. Click the Run dropdown menu and select one of the available options.
  4. Enter frequency details and click Update.
    You can also click Execute Now to run the import immediately.
  5. Click the (close) icon.
  6. Click Mark as Complete.
The configuration is now complete. The integration will start fetching attack path findings from BloodHound Enterprise based on the configured schedule and create ServiceNow tickets accordingly.

Next steps

Learn how to use the integration to view attack path data from BloodHound Enterprise in ServiceNow’s Vulnerability Manager Workspace.