> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # Integrate BloodHound Enterprise with Splunk SIEM > Learn how to install and configure the BloodHound Enterprise Splunk app to ingest BloodHound Enterprise data into Splunk. Applies to BloodHound Enterprise only The [BloodHound Enterprise Splunk app](https://splunkbase.splunk.com/app/7818) ingests your BloodHound Enterprise data into Splunk. * Use the dashboards to track the Active Directory and Azure attack paths of your environment * Create alerts to detect when new attack paths emerge or exposure increases * Enrich your security information and event management (SIEM) data with information about the attack paths to and from principals in your environment ## Prerequisites Before you begin the installation and configuration process, ensure the following prerequisites are met: * Splunk instance (version 9.0.1 or later) and an admin account * BloodHound Enterprise tenant * BloodHound Enterprise [non-personal API key/ID pair](/integrations/bloodhound-api/working-with-api#create-a-non-personal-api-key%2Fid-pair) with the **Auditor** role ## Install the app Installing the BloodHound Enterprise Splunk app involves the following steps: 1. Log in to Splunk Enterprise as an admin. 2. Click **Apps** > **Manage apps**. Use one of the following methods to install the BloodHound Enterprise Splunk app: Install directly from Splunkbase: 1. Click **Browse More Apps**. 2. Search for *BloodHound Enterprise*. 3. Click **Install** 4. Enter your Splunkbase credentials to authorize the download when prompted. Install from a downloaded package: 1. Download the BloodHound Enterprise Splunk app package from [Splunkbase](https://splunkbase.splunk.com/app/7818). 2. Click **Install App from File**. 3. Select the downloaded package and click **Upload**. After installing the app, restart your Splunk instance to apply the changes. See [Splunk's documentation](https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.0/welcome-to-splunk-enterprise-administration/start-splunk-enterprise-and-perform-initial-tasks/start-and-stop-splunk-enterprise) for more information. ## Configure the app (required) This section describes the minimum required configuration steps to get the BloodHound Enterprise Splunk app up and running. It involves the following steps: 1. Configure a Splunk index 2. Configure Splunk app API credentials 3. Configure Splunk data inputs Optional configurations are available in the [Configure the Splunk app (optional)](#configure-the-app-optional) section. Create a dedicated index for the BloodHound Enterprise Splunk app data: 1. Click **Settings** > **Indexes** > **New Index**. 2. In the **Index Name** field, enter `bhe-splunk-app`. 3. In the **Data Integrity Check** field, select **Enabled**. 4. In the **App** field, select **BloodHound Enterprise**. 5. Click **Save**. A view of the Splunk 'New Index' configuration page showing the fields filled out for creating the 'bhe-splunk-app' index. Configure the BloodHound Enterprise Splunk app with your BloodHound Enterprise API credentials. We recommend a [non-personal API key/ID pair](/integrations/bloodhound-api/working-with-api#create-a-non-personal-api-key%2Fid-pair) with the **Auditor** role for the Splunk integration. 1. Click **Apps** > **Manage Apps**. 2. Filter for the BloodHound Enterprise Splunk app and click on it. 3. Click the **Administration** drop-down menu and select **Configuration**. 4. Click **Add** to open the **Add Account** screen. 5. Complete the configuration fields: | Field | Description | | ----------------- | ------------------------------------------------------------------------------------ | | **Account Name** | Unique name to identify the BloodHound Enterprise account in Splunk | | **Tenant Domain** | Your BloodHound Enterprise tenant (e.g., `https://mydomain.bloodhoundenterprise.io`) | | **Token ID** | Token ID associated with the BloodHound Enterprise account | | **Token key** | Token key associated with the BloodHound Enterprise account | 6. Click **Save** to apply the configuration. A view of the Splunk 'Add Account' page showing the fields configuring the app's API credentials. Data inputs define what data the BloodHound Enterprise Splunk app collects from the BloodHound Enterprise API. You can create multiple inputs of the same type, each with different configurations (e.g., different BloodHound Enterprise accounts, indices, and collection intervals). 1. Click **Apps** > **Manage Apps**. 2. Filter for the BloodHound Enterprise Splunk app and click on it. 3. Click the **Administration** drop-down menu and select **Inputs**. 4. Click **Create New Input**. 5. Select an input type from the drop-down menu. The BloodHound Enterprise Splunk app supports the following input types:
Input type Description
Attack Paths Retrieves a list of attack paths from the BloodHound Enterprise API and a list of various findings across a given time range.
Audit Logs Retrieves a list of audit logs from the BloodHound Enterprise API.
  • Requires the API user to have either the Administrator or Auditor role in BHE.
  • You can set the "Historical Polling Days" field to retrieve logs from the past N days, starting from the current date.
  • After the app fetches all logs for the specified period, the input continues polling only the latest audit logs.
  • If you need logs from a different time range, you can create a new input and fetch them separately.
Tier Zero Assets Ingests data for all asset members that belong to the Tier Zero privilege zone.
Posture Statistics Retrieves a history of statistics stored in the database using the BloodHound Enterprise API.
6. Complete the configuration fields for the selected input type. The following table describes fields that are common across all input types: | Field | Description | | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | **Name** | Unique name identifying the input | | **Interval** | Interval (in seconds) at which the input runs | | **Index** | Index where the BloodHound Enterprise data is stored (`bhe-splunk-app`). You must clear the `default` value and search for the correct index. | | **Bloodhound Account** | BloodHound Enterprise account name (configured in Splunk) that will be used to fetch the data | 7. Click **Add** to create the input. A view of the Splunk 'Create New Input' configuration page showing the fields filled out for creating a new input. Repeat the above steps to create additional inputs as needed. Data will now begin flowing into the environment. You can monitor this progress through Splunk itself with the following query: ```spl theme={null} index=_internal source="*splunkd.log" "BHE " ``` ## Configure the app (optional) This section describes optional configuration options for the BloodHound Enterprise Splunk app, including: 1. Configure a Splunk search macro 2. Configure a Splunk proxy 3. Configure Splunk logging The BloodHound Enterprise Splunk app includes a [search macro](https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/9.4/search-macros/use-search-macros-in-searches) (`bhe_index`) that points to the default index where Splunk stores BloodHound Enterprise data (`bhe-splunk-app`). A view of the Splunk 'Search Macros' page showing the default 'bhe_index' macro. To view or modify the search macro: 1. Click **Settings** > **Advanced search**. 2. Click **Search macros**. 3. Filter for `bhe_index`. If you used a different index name, edit the macro **Definition** field to match that name. ```spl theme={null} index=my_custom_bhe_index ``` If you maintain separate indexes per input type, modify the macro definition accordingly. For example: ```spl theme={null} index=attack_path_index OR index=audit_log_index OR index=posture_stats_index ``` Splunk allows you to configure a proxy to route traffic through an intermediary server. This might be useful for network security and compliance requirements. 1. Click **Apps** > **Manage Apps**. 2. Filter for the BloodHound Enterprise Splunk app and click on it. 3. Click the **Administration** drop-down menu and select **Configuration**. 4. Click the **Proxy Settings** tab. 5. Complete the configuration fields: | Field | Description | | -------------- | --------------------------------------------------------------- | | **Enable** | Checkbox to enable or disable the proxy configuration | | **Proxy Type** | Drop-down to choose the type of proxy (http, socks4, socks5) | | **Host** | Enter the proxy hostname or IP address | | **Port** | Specify the port number (e.g., 8080) | | **Username** | If authentication is required, enter the username | | **Password** | If authentication is required, enter the corresponding password | 6. Click **Save** to apply the proxy settings. 7. Restart Splunk. See [Splunk's documentation](https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.0/welcome-to-splunk-enterprise-administration/start-splunk-enterprise-and-perform-initial-tasks/start-and-stop-splunk-enterprise) for more information. You can configure logging settings for the BloodHound Enterprise Splunk app to help with troubleshooting and monitoring. 1. Click **Apps** > **Manage Apps**. 2. Filter for the BloodHound Enterprise Splunk app and click on it. 3. Click the **Administration** drop-down menu and select **Configuration**. 4. Click the **Logging** tab. 5. Select one of the following options from the **Log level** drop-down menu: | Log level | Description | | ----------- | ------------------------------------- | | **DEBUG** | Most verbose; use for troubleshooting | | **INFO** | Standard logs (default) | | **WARNING** | Warnings only | | **ERROR** | Errors only | 6. Click **Save** to apply the changes. The BloodHound Enterprise Splunk app writes logs to: ```text theme={null} $SPLUNK_HOME/var/log/splunk/ta_bloodhound_enterprise_.log ``` You can search logs in Splunk using: ```spl theme={null} index="_internal" sourcetype="ta_bloodhound_enterprise:log" ``` Use the `tail` command to monitor logs in real-time: ```bash theme={null} tail -f $SPLUNK_HOME/var/log/splunk/ta_bloodhound_enterprise_.log ``` ## Monitor and troubleshoot The **BHE Integration Health** dashboard is designed to help you monitor and troubleshoot errors related to the BloodHound Enterprise Splunk app. This dashboard provides real-time insights into the system failures, allowing you to quickly identify and resolve issues. It retrieves and displays error logs with the following Splunk query: ```spl theme={null} index=bhe-splunk-app sourcetype=BHE:error ``` This dashboard does not provide filters. Here are some recommendations for using the **BHE Integration Health** dashboard to troubleshoot issues: * Identify the function causing the error in the Detailed Error Logs table * Look for recurring errors in Error Summary and Top Error Functions * Apply the relevant steps above based on the error type * If issues persist, inspect Splunk internal logs See [Troubleshooting](/integrations/splunk/siem/troubleshoot) for common issues and resolutions. To access the **BHE Integration Health** Dashboard: 1. Log in to Splunk Enterprise as an admin. 2. Click **Apps** > **Manage apps**. 3. Filter for the BloodHound Enterprise Splunk app and click on it. 4. Click the **Administration** drop-down menu and select **BHE Integration Health Dashboard**. ### Error Trend Over Time This panel shows which functions are generating the most errors in the BloodHound Enterprise Splunk app. A view of the Error Trend Over Time panel in the BloodHound Enterprise Splunk app ### Errors by Function This panel shows a chart of errors (by function) generating errors in the BloodHound Enterprise Splunk app. A view of the Errors by Function panel in the BloodHound Enterprise Splunk app ### Top 10 Frequent Errors This panel shows a chart of the top ten most frequent error messages occurring in the BloodHound Enterprise Splunk app. A view of the Top 10 Frequent Errors panel in the BloodHound Enterprise Splunk app ### Raw Error Logs This panel provides a detailed table of raw error logs generated by the BloodHound Enterprise, including timestamps, function names, and error messages. A view of the Raw Error Logs panel in the BloodHound Enterprise Splunk app