In BloodHound Enterprise v9.3.0 and later, the GitHub, Jamf, and Okta extension schemas are pre-installed. Saved queries and Privilege Zone rules are still managed separately.
Prerequisites
Before you upload extension assets, ensure that you have done the following:- Installed the OpenHound CLI.
- Verified or installed the matching extension definition schema in OpenGraph Extension Management.
- Obtained the BloodHound Enterprise tenant URL and browser JWT used by the OpenHound CLI for extension asset uploads.
Configure CLI authentication
OpenHound uses DLT configuration management for CLI asset uploads. Add the BloodHound Enterprise tenant URL and browser JWT to your local~/.dlt/secrets.toml file.
The asset upload commands use the destination.bloodhound section with a JWT bearer token.
This is different from the destination.bloodhoundenterprise collector client configuration, which uses token_id and token_key for scheduled OpenHound collection.
Docker Compose scheduler examples use collector-specific host files, such as
~/.dlt/secrets_github.toml, and mount the matching file into the container as /app/.dlt/secrets.toml.Asset upload commands run from the OpenHound CLI and read the generic ~/.dlt/secrets.toml file shown below.Bearer prefix.
~/.dlt/secrets.toml
Upload assets
You must upload saved queries and Privilege Zone rules for each extension. Saved queries and Privilege Zone rules are stored in each extension repository in the following directories:extension/saved_searchesextension/privilege_zone_rules
OpenHound makes uploaded saved queries public by default.
Clone the extension repositories
Clone each extension repository to your local machine.
- GitHub
- Jamf
- Okta
Upload the saved queries
For each extension, run the upload command against the saved queries directory.
- GitHub
- Jamf
- Okta
Verify uploads
After the upload completes:- Open Explore to confirm the saved queries are available.
- Open Privilege Zones to confirm the expected rules appear in the target zone.
- Wait for analysis to successfully run to verify rules that affect zone membership or findings.
Troubleshoot
| Issue | Cause | Resolution |
|---|---|---|
| Existing assets do not update | The upload command uses the skip strategy by default. | Run the upload again with the --strategy overwrite option. |
| Upload fails with an authentication error | The BloodHound Enterprise URL or JWT is invalid or expired. | Update the ~/.dlt/secrets.toml file with a valid browser JWT and rerun the command. |
| No files are uploaded | The command points to the wrong directory. | Confirm that the path contains the extension assets. |