Skip to main content
Applies to BloodHound Enterprise OpenHound extensions include saved queries and Privilege Zone rules that help you analyze the data collected from the GitHub, Jamf, and Okta extensions. Use the OpenHound CLI to upload these assets after the matching extension definition schema is installed or verified in BloodHound.
In BloodHound Enterprise v9.3.0 and later, the GitHub, Jamf, and Okta extension schemas are pre-installed. Saved queries and Privilege Zone rules are still managed separately.

Prerequisites

Before you upload extension assets, ensure that you have done the following:
  • Installed the OpenHound CLI.
  • Verified or installed the matching extension definition schema in OpenGraph Extension Management.
  • Obtained the BloodHound Enterprise tenant URL and browser JWT used by the OpenHound CLI for extension asset uploads.

Configure CLI authentication

OpenHound uses DLT configuration management for CLI asset uploads. Add the BloodHound Enterprise tenant URL and browser JWT to your local ~/.dlt/secrets.toml file. The asset upload commands use the destination.bloodhound section with a JWT bearer token. This is different from the destination.bloodhoundenterprise collector client configuration, which uses token_id and token_key for scheduled OpenHound collection.
Docker Compose scheduler examples use collector-specific host files, such as ~/.dlt/secrets_github.toml, and mount the matching file into the container as /app/.dlt/secrets.toml.Asset upload commands run from the OpenHound CLI and read the generic ~/.dlt/secrets.toml file shown below.
To get the browser JWT, follow the BloodHound API JWT guidance. Copy only the token value and omit the Bearer prefix.
~/.dlt/secrets.toml
Do not commit secrets.toml or token values to version control. Browser JWTs are short-lived and intended for user-authenticated API calls, not long-running integrations.

Upload assets

You must upload saved queries and Privilege Zone rules for each extension. Saved queries and Privilege Zone rules are stored in each extension repository in the following directories:
  • extension/saved_searches
  • extension/privilege_zone_rules
OpenHound makes uploaded saved queries public by default.
1

Clone the extension repositories

Clone each extension repository to your local machine.
2

Upload the saved queries

For each extension, run the upload command against the saved queries directory.
3

Upload the Privilege Zone rules

For each extension, run the upload command against the Privilege Zone rules directory.
The default upload strategy is skip, which leaves existing assets unchanged.Use --strategy overwrite when you need to update previously uploaded saved queries or Privilege Zone rules.

Verify uploads

After the upload completes:
  • Open Explore to confirm the saved queries are available.
  • Open Privilege Zones to confirm the expected rules appear in the target zone.
  • Wait for analysis to successfully run to verify rules that affect zone membership or findings.

Troubleshoot

IssueCauseResolution
Existing assets do not updateThe upload command uses the skip strategy by default.Run the upload again with the --strategy overwrite option.
Upload fails with an authentication errorThe BloodHound Enterprise URL or JWT is invalid or expired.Update the ~/.dlt/secrets.toml file with a valid browser JWT and rerun the command.
No files are uploadedThe command points to the wrong directory.Confirm that the path contains the extension assets.