Prerequisites
Before you begin, ensure that you have the following:- A BloodHound Enterprise tenant with OpenHound enabled.
- API credentials for each OpenHound collector client you plan to run. Use the
token_idandtoken_keygenerated for the matching collector client. - The required credentials for the extension you want to collect:
- Uploaded saved queries and Privilege Zone rules for each extension you want to collect.
- Docker Desktop with WSL integration enabled, or a Linux host with Docker or Podman installed.
- The Compose plugin installed, such as
docker composeorpodman compose.
On Windows, enable Docker Desktop WSL integration before you run OpenHound from a WSL terminal. In Docker Desktop, open Settings > Resources > WSL integration, then enable integration for the WSL distribution you use.
Deploy OpenHound
Follow these steps to deploy OpenHound with Docker Compose and run a collector for the extension you want to use.Verify Docker Compose
From your Linux or WSL terminal, run:The command returns the installed Docker Compose version.
Create the working directories
Create a workspace for the Compose file and a DLT configuration directory:
Download the OpenHound examples
Clone the OpenHound repository:You’ll use the example Compose file in the next step.
Copy the Enterprise Compose file
Copy the Enterprise example Compose file into your OpenHound workspace:
Create the OpenHound configuration file
Create
~/.dlt/config.toml for non-sensitive OpenHound runtime settings.~/.dlt/config.toml
Create the extension-specific secrets file
Create one secrets file for each extension you want to run.The example Compose file uses collector-specific files on the host and maps the matching file into the container as
Each extension secrets file must include:
/app/.dlt/secrets.toml.| Extension | Host secrets file | Container secrets file |
|---|---|---|
| GitHub | ~/.dlt/secrets_github.toml | /app/.dlt/secrets.toml |
| Jamf | ~/.dlt/secrets_jamf.toml | /app/.dlt/secrets.toml |
| Okta | ~/.dlt/secrets_okta.toml | /app/.dlt/secrets.toml |
-
[destination.bloodhoundenterprise]with the BloodHound Enterprise tenant URL and thetoken_idandtoken_keyfor the matching OpenHound collector client -
The collector-specific credentials section, such as
[sources.source.github.credentials],[sources.source.jamf.credentials], or[sources.source.okta.credentials]The following GitHub example uses an organization GitHub App.~/.dlt/secrets_github.toml
The scheduler uses
destination.bloodhoundenterprise with collector client credentials. Do not use the JWT-based destination.bloodhound settings from Upload Extension Assets for scheduled collection.Add extension secret files
Some extensions require an additional secret file.For example, the GitHub App authentication method requires you to copy the GitHub App private key to the path referenced by the Compose file:
Start one OpenHound scheduler
From the OpenHound workspace, start the scheduler for the extension you configured.To run another extension, configure its secrets file and start the matching service, such as
scheduler-jamf or scheduler-okta.Verify the scheduler logs
Follow the logs for the service you started:The scheduler checks BloodHound Enterprise for available collection jobs. After you run an on-demand scan or a scheduled scan starts, the logs show the job status.
Run a collection
In BloodHound Enterprise, run an on-demand scan or create a collection schedule for the OpenHound collector client.After the job completes, monitor ingest and analysis progress on the collection activity pages.
Troubleshooting
- If Docker commands fail from WSL, confirm Docker Desktop WSL integration is enabled for your distribution.
- If the scheduler starts but does not collect data, confirm that the OpenHound collector client credentials in the extension secrets file match the BloodHound Enterprise tenant.
- If GitHub App authentication fails, confirm that the
.pemfile is mounted at the same path configured inkey_path. - If a collection fails because of GitHub API rate limits, tune the HTTP request parameters.