Skip to main content
Applies to BloodHound Enterprise only Splunk SOAR (formerly Phantom) helps security teams orchestrate tools and automate response workflows. This guide focuses on installing and configuring the BloodHound Enterprise app in Splunk SOAR.
For platform concepts, terminology, and product capabilities, see the Splunk SOAR documentation.
The BloodHound Enterprise for Splunk SOAR app allows you to view attack path findings from BloodHound Enterprise within the Splunk SOAR platform. This integration enables security teams to monitor and respond to potential attack paths in real-time using Splunk SOAR’s automation capabilities. Integrating BloodHound with Splunk SOAR provides the following advantages:
  • Get real-time visibility into attack path findings: View BloodHound Enterprise findings in Splunk SOAR as they are detected.
  • Automate response playbooks from BloodHound detections: Trigger investigation and containment workflows automatically when BloodHound Enterprise identifies a risk.
  • Reduce manual triage and improve consistency: Standardize repeatable response actions across your existing security tooling.
  • Accelerate mitigation of privilege escalation risks: Use automated tasks to respond to high-impact identity threats faster.

Prerequisites

Before you begin the installation and configuration process, ensure the following prerequisites are met:
  • Admin access to a Splunk SOAR instance
  • Access to a BloodHound Enterprise tenant
  • BloodHound Enterprise non-personal API key/ID pair with the Auditor role

Install the app

Installing the BloodHound Enterprise for Splunk SOAR app involves the following steps:
1

Navigate to Splunk SOAR

  1. Log in to your Splunk SOAR instance as an admin.
  2. Click on the Home dropdown in the top-left corner and select Apps.
Splunk SOAR home dropdown with Apps option highlighted
2

Install the app in Splunk SOAR

  1. Enter BloodHound in the app search box.
    Splunk SOAR app search box
  2. Click Install.
    Splunk SOAR install app confirmation
    After installing the app, you can see it in the Unconfigured Apps section.
    Splunk SOAR unconfigured apps section

Configure the app

After installing the BloodHound Enterprise for Splunk SOAR app, you need to configure it to connect to your BloodHound Enterprise tenant and start ingesting attack path findings. The configuration process involves the following steps:
1

Navigate to app configuration

On the Unconfigured Apps page, click Configure New Asset for the BloodHound Enterprise app.
Splunk SOAR unconfigured apps section with Configure New Asset
2

Enter asset details

  1. Enter the Asset name and the Asset description.
    Splunk SOAR BloodHound Enterprise app details page with Configure button highlighted
  2. Click Save.
3

Configure API credentials

  1. Click Asset Settings to set up the connection to BloodHound Enterprise.
  2. Enter the following details:
    FieldDescription
    BloodHound Enterprise DomainThe URL you use to access your BloodHound Enterprise tenant
    Token KeyThe token key from your BloodHound Enterprise non-personal API key/ID pair
    Token IDThe token ID from your BloodHound Enterprise non-personal API key/ID pair
    Splunk SOAR BloodHound Enterprise app asset settings page for API credentials configuration with BloodHound Enterprise Domain, Token Key, and Token ID fields
  3. Click Save.
4

Configure data ingestion

  1. Click Ingest Settings to set up how the app ingests data from BloodHound Enterprise.
  2. Configure the following settings:
    FieldDescription
    Label to apply to objects from this sourceSelect events to label ingested data as events in Splunk SOAR
    Select a polling interval or schedule to configure polling on this assetChoose how often the app should poll BloodHound Enterprise for new findings. For testing, you can select Off and use manual polling.
    Splunk SOAR ingest settings page with Label to apply to objects from this source and Select a polling interval or schedule to configure polling on this asset fields highlighted
  3. Click Save.
5

Test connectivity

Go back to Asset Settings and click Test Connectivity to verify the configuration.
Splunk SOAR test connectivity page
If the configuration is correct, Splunk SOAR confirms that the app is connected successfully, as shown in the following image.
Splunk SOAR successful connectivity confirmation
6

Ingest data

If you set the polling interval to Off for testing, you can manually poll for events to start ingesting data from BloodHound Enterprise.
  1. Click Ingest Settings.
  2. Enter the following values:
    FieldDescription
    Maximum containersThe maximum number of containers (event groupings) to ingest per polling cycle.
    Maximum artifactsThe maximum number of artifacts (individual data items) to ingest per polling cycle.
    See the Splunk SOAR documentation for more information about these settings.
  3. Click Poll Now.
    Splunk SOAR poll now option
    After polling completes, confirm that containers and artifacts were added successfully, as shown below.
    Splunk SOAR successful data ingestion confirmation
  4. Click Close.

Next steps

The configuration is now complete. You can view attack path findings from BloodHound Enterprise in Splunk SOAR and use them to trigger automated response playbooks.