Get Started
Auth
- POSTLogin to BloodHound
- POSTLogout of BloodHound
- GETGet self
- GETList SAML Providers
- GETGet all SAML sign on endpoints
- POSTCreate a New SAML Provider from Metadata
- GETGet SAML Provider
- DELDelete a SAML Provider
- GETList SSO Providers
- POSTCreate OIDC Provider
- POSTCreate a New SAML Provider from Metadata
- DELDelete SSO Provider
- PATCHUpdate SSO Provider
- GETGet SAML Provider Signing Certificate
Permissions
BloodHound Users
- GETList Users
- GETList Users Minimal
- POSTCreate a New User
- GETGet a user
- DELDelete a User
- PATCHUpdate a User
- PUTCreate or Set User Secret
- DELExpire User Secret
- POSTEnrolls user in multi-factor authentication
- DELUnenroll user from multi-factor authentication
- GETReturns MFA activation status for a user
- POSTActivates MFA for an enrolled user
Collectors
Collection Uploads
Audit
Config
Asset Isolation
- GETList all asset isolation groups
- POSTCreate an asset group
- POSTCreate Asset Group Tag Selector
- GETGet Asset Group Tag
- GETGet Asset Group Tags
- GETGet asset group by ID
- GETList asset group tag members by ID
- GETGet Asset Group Tag Selector
- GETGet Asset Group Tag selectors
- GETGet asset group tag selectors of a specific object by member id
- GETList asset group tag member count by kind
- GETList asset group tag members by selector
- GETList asset group collections
- POSTPreview Selectors
- PUTUpdate an asset group
- PUTUpdate asset group selectors
- POSTUpdate asset group selectors
- PATCHUpdate Asset Group Tag Selector
- DELDelete an asset group
- DELDelete an asset group selector
- DELDelete Asset Group Tag Selector
- GETGet asset group custom member count
- GETList all asset isolation group members
- POSTCreate Asset Group Tag
- DELDelete an Asset Group Tag
- GETGet history records
- POSTSearch history records
- GETList asset group member count by kind
- POSTSearch Asset Group Tags
- PATCHUpdate Asset Group Tag
- GETGet certifications for privilege zones
- POSTCertify or Revoke Certification of Objects
Graph
Cypher
- GETList saved queries
- GETExport a saved query
- GETExport one or more saved queries
- POSTImport one or more cypher queries.
- POSTCreate a saved query
- PUTUpdate a saved query
- DELDelete a saved query
- PUTShare a saved query or set it to public
- DELRevokes permission of a saved query from users
- POSTRun a cypher query
Azure Entities
Computers
- GETGet computer entity info
- GETGet computer entity admin rights
- GETGet computer entity admins
- GETGet computer entity constrained delegation rights
- GETGet computer entity constrained users
- GETGet computer entity controllables
- GETGet computer entity controllers
- GETGet computer entity DCOM rights
- GETGet computer entity DCOM users
- GETGet computer entity group membership
- GETGet computer entity remote PowerShell rights
- GETGet computer entity remote PowerShell users
- GETGet computer entity RDP rights
- GETGet computer entity RDP users
- GETGet computer entity sessions
- GETGet computer entity SQL admins
Domains
- GETGet domain entity info
- PATCHUpdate the Domain entity
- GETGet domain entity computers
- GETGet domain entity controllers
- GETGet domain entity DC Syncers
- GETGet domain entity foreign admins
- GETGet domain entity foreign GPO controllers
- GETGet domain entity foregin groups
- GETGet domain entity foreign users
- GETGet domain entity GPOs
- GETGet domain entity groups
- GETGet domain entity inbound trusts
- GETGet domain entity linked GPOs
- GETGet domain entity OUs
- GETGet domain entity outbound trusts
- GETGet domain entity users
- GETGet ADCS escalations of Domain entity
GPOs
AIA CAs
Root CAs
Enterprise CAs
NT Auth Stores
Cert Templates
OUs
AD Users
- GETGet User entity info
- GETGet User entity admin rights
- GETGet User entity constrained delegation rights
- GETGet User entity controllables
- GETGet User entity controllers
- GETGet User entity DCOM rights
- GETGet User entity membership
- GETGet User entity PowerShell remote rights
- GETGet User entity RDP rights
- GETGet User entity sessions
- GETGet User entity SQL admin rights
Groups
- GETGet Group entity info
- GETGet Group entity admin rights
- GETGet Group entity controllables
- GETGet Group entity controllers
- GETGet Group entity DCOMRights
- GETGet Group entity members
- GETGet Group entity memberships
- GETGet Group entity PowerShell remote rights
- GETGet Group entity RDP rights
- GETGet Group entity sessions
Data Quality
Database
EULA
Analysis
Client Ingest
Clients
- GETList Clients
- POSTCreate Client
- POSTClient Error
- PUTUpdate Client Values
- GETGet Client
- PUTUpdate Client
- DELDelete Client
- PUTRegenerate the authentication token for a client
- GETList all completed tasks for a client
- GETList all completed jobs for a client
- POSTCreates a scheduled task
- POSTCreates a scheduled job
Jobs
Events (Schedules)
Attack Paths
Risk Posture
Meta Entities
A valid request URL is required to generate request examples{
"count": 1,
"skip": 1,
"limit": 1,
"data": [
{
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "<string>",
"ip_address": "127.0.0.1",
"hostname": "<string>",
"configured_user": "<string>",
"last_checkin": "2023-11-07T05:31:56Z",
"events": [
{
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"rrule": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
]
}
],
"token": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"user_id": {
"uuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"valid": true
},
"name": {
"string": "<string>",
"valid": true
},
"key": "<string>",
"hmac_method": "<string>",
"last_access": "2023-11-07T05:31:56Z"
},
"current_job_id": {
"int64": 123,
"valid": true
},
"current_task_id": {
"int64": 123,
"valid": true
},
"current_job": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"current_task": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"completed_job_count": 123,
"completed_task_count": 123,
"domain_controller": {
"string": "<string>",
"valid": true
},
"version": "<string>",
"user_sid": {
"string": "<string>",
"valid": true
},
"type": "sharphound"
}
]
}List Clients
Lists available clients for processing collection events.
A valid request URL is required to generate request examples{
"count": 1,
"skip": 1,
"limit": 1,
"data": [
{
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "<string>",
"ip_address": "127.0.0.1",
"hostname": "<string>",
"configured_user": "<string>",
"last_checkin": "2023-11-07T05:31:56Z",
"events": [
{
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"rrule": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
]
}
],
"token": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"user_id": {
"uuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"valid": true
},
"name": {
"string": "<string>",
"valid": true
},
"key": "<string>",
"hmac_method": "<string>",
"last_access": "2023-11-07T05:31:56Z"
},
"current_job_id": {
"int64": 123,
"valid": true
},
"current_task_id": {
"int64": 123,
"valid": true
},
"current_job": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"current_task": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"completed_job_count": 123,
"completed_task_count": 123,
"domain_controller": {
"string": "<string>",
"valid": true
},
"version": "<string>",
"user_sid": {
"string": "<string>",
"valid": true
},
"type": "sharphound"
}
]
}
Authorizations
Authorization: Bearer $JWT_TOKEN
Headers
Prefer header, used to specify a custom timeout in seconds using the wait parameter as per RFC7240.
x >= 0Query Parameters
Filter results by created_at value. See filter schema details for valid predicates.
Filter results by column timestamp value formatted as an RFC-3339 string.
Valid filter predicates are eq, neq, gt, gte, lt, lte.
Filter results by updated_at value. See filter schema details for valid predicates.
Filter results by column timestamp value formatted as an RFC-3339 string.
Valid filter predicates are eq, neq, gt, gte, lt, lte.
Filter results by deleted_at value. See filter schema details for valid predicates.
Filter results by column timestamp value formatted as an RFC-3339 string.
Valid filter predicates are eq, neq, gt, gte, lt, lte.
When a value of true is passed, any Domains associated with scheduled and finished jobs for each client will have expanded properties including name and type. When a value of false is passed, these same Domains will only return as a list of objectids.
When a value of true is passed, any OUs associated with scheduled and finished jobs for each client will have expanded properties including name and type. When a value of false is passed, these same OUs will only return as a list of objectids.
This query parameter is used for determining the number of objects to skip in pagination. The number of items to skip in a paginated response.
x >= 0This query parameter is used for setting an upper limit of objects returned in paginated responses. The limit of results requested by the client.
x >= 0Sortable columns are name, ip_address, hostname, configured_user, last_checkin, completed_job_count, created_at, updated_at, deleted_at.
Sort by column. Can be used multiple times; prepend a hyphen for descending order.
See parameter description for details about which columns are sortable.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column integer value. Valid filter predicates are eq, neq, gt, gte, lt, lte.
Filter results by column integer value. Valid filter predicates are eq, neq, gt, gte, lt, lte.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string-formatted uuid value. Valid filter predicates are eq, neq.
Response
OK
The total number of results.
x >= 0The number of items to skip in a paginated response.
x >= 0The limit of results requested by the client.
x >= 0Show child attributes
Show child attributes
This is the unique identifier for this object.
Show child attributes
Show child attributes
This is the unique identifier for this object.
Show child attributes
Show child attributes
This is the unique identifier for this object.
Show child attributes
Show child attributes
This is the unique identifier for this object.
This enum describes the current status of a Job. Values are:
-1Invalid0Ready1Running2Complete3Canceled4Timed Out5Failed6Ingesting7Analyzing8Partially Complete
-1, 0, 1, 2, 3, 4, 5, 6, 7, 8 Show child attributes
Show child attributes
This is the unique identifier for this object.
Name of the domain that was enumerated
A boolean value indicating whether the domain enumeration succeeded
A status message for a domain enumeration result
A count of users enumerated
A count of groups enumerated
A count of computers enumerated
A count of gpos enumerated
A count of ous enumerated
A count of containers enumerated
A count of aiacas enumerated
A count of rootcas enumerated
A count of enterprisecas enumerated
A count of ntauthstores enumerated
A count of certtemplates enumerated
A count of deleted objects enumerated
Show child attributes
Show child attributes
This is the unique identifier for this object.
This enum describes the current status of a Job. Values are:
-1Invalid0Ready1Running2Complete3Canceled4Timed Out5Failed6Ingesting7Analyzing8Partially Complete
-1, 0, 1, 2, 3, 4, 5, 6, 7, 8 Show child attributes
Show child attributes
This is the unique identifier for this object.
Name of the domain that was enumerated
A boolean value indicating whether the domain enumeration succeeded
A status message for a domain enumeration result
A count of users enumerated
A count of groups enumerated
A count of computers enumerated
A count of gpos enumerated
A count of ous enumerated
A count of containers enumerated
A count of aiacas enumerated
A count of rootcas enumerated
A count of enterprisecas enumerated
A count of ntauthstores enumerated
A count of certtemplates enumerated
A count of deleted objects enumerated
This enum describes the collector client type.
sharphound, azurehound