Get Started
Auth
- POSTLogin to BloodHound
- POSTLogout of BloodHound
- GETGet self
- GETList SAML Providers
- GETGet all SAML sign on endpoints
- POSTCreate a New SAML Provider from Metadata
- GETGet SAML Provider
- DELDelete a SAML Provider
- GETList SSO Providers
- POSTCreate OIDC Provider
- POSTCreate a New SAML Provider from Metadata
- DELDelete SSO Provider
- PATCHUpdate SSO Provider
- GETGet SAML Provider Signing Certificate
Permissions
BloodHound Users
- GETList Users
- POSTCreate a New User
- GETGet a user
- DELDelete a User
- PATCHUpdate a User
- PUTCreate or Set User Secret
- DELExpire User Secret
- POSTEnrolls user in multi-factor authentication
- DELUnenroll user from multi-factor authentication
- GETReturns MFA activation status for a user
- POSTActivates MFA for an enrolled user
Collectors
Collection Uploads
Audit
Config
Asset Isolation
- GETList all asset isolation groups
- POSTCreate an asset group
- GETGet asset group by ID
- PUTUpdate an asset group
- DELDelete an asset group
- GETList asset group collections
- PUTUpdate asset group selectors
- POSTUpdate asset group selectors
- DELDelete an asset group selector
- GETGet asset group custom member count
- GETList all asset isolation group members
- GETList asset group member count by kind
Graph
Cypher
Azure Entities
Computers
- GETGet computer entity info
- GETGet computer entity admin rights
- GETGet computer entity admins
- GETGet computer entity constrained delegation rights
- GETGet computer entity constrained users
- GETGet computer entity controllables
- GETGet computer entity controllers
- GETGet computer entity DCOM rights
- GETGet computer entity DCOM users
- GETGet computer entity group membership
- GETGet computer entity remote PowerShell rights
- GETGet computer entity remote PowerShell users
- GETGet computer entity RDP rights
- GETGet computer entity RDP users
- GETGet computer entity sessions
- GETGet computer entity SQL admins
Domains
- GETGet domain entity info
- PATCHUpdate the Domain entity
- GETGet domain entity computers
- GETGet domain entity controllers
- GETGet domain entity DC Syncers
- GETGet domain entity foreign admins
- GETGet domain entity foreign GPO controllers
- GETGet domain entity foregin groups
- GETGet domain entity foreign users
- GETGet domain entity GPOs
- GETGet domain entity groups
- GETGet domain entity inbound trusts
- GETGet domain entity linked GPOs
- GETGet domain entity OUs
- GETGet domain entity outbound trusts
- GETGet domain entity users
GPOs
OUs
AD Users
- GETGet User entity info
- GETGet User entity admin rights
- GETGet User entity constrained delegation rights
- GETGet User entity controllables
- GETGet User entity controllers
- GETGet User entity DCOM rights
- GETGet User entity membership
- GETGet User entity PowerShell remote rights
- GETGet User entity RDP rights
- GETGet User entity sessions
- GETGet User entity SQL admin rights
Groups
- GETGet Group entity info
- GETGet Group entity admin rights
- GETGet Group entity controllables
- GETGet Group entity controllers
- GETGet Group entity DCOMRights
- GETGet Group entity members
- GETGet Group entity memberships
- GETGet Group entity PowerShell remote rights
- GETGet Group entity RDP rights
- GETGet Group entity sessions
Data Quality
Database
EULA
Analysis
Client Ingest
Clients
- GETList Clients
- POSTCreate Client
- POSTClient Error
- PUTUpdate Client Values
- GETGet Client
- PUTUpdate Client
- DELDelete Client
- PUTRegenerate the authentication token for a client
- GETList all completed tasks for a client
- GETList all completed jobs for a client
- POSTCreates a scheduled task
- POSTCreates a scheduled job
Jobs
Events (Schedules)
Attack Paths
Risk Posture
Meta Entities
List Clients
Lists available clients for processing collection events.
{
"count": 1,
"skip": 1,
"limit": 1,
"data": [
{
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "<string>",
"ip_address": "127.0.0.1",
"hostname": "<string>",
"configured_user": "<string>",
"last_checkin": "2023-11-07T05:31:56Z",
"events": [
{
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"rrule": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
]
}
],
"token": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"user_id": {
"uuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"valid": true
},
"name": {
"string": "<string>",
"valid": true
},
"key": "<string>",
"hmac_method": "<string>",
"last_access": "2023-11-07T05:31:56Z"
},
"current_job_id": {
"int64": 123,
"valid": true
},
"current_task_id": {
"int64": 123,
"valid": true
},
"current_job": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"current_task": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"completed_job_count": 123,
"completed_task_count": 123,
"domain_controller": {
"string": "<string>",
"valid": true
},
"version": "<string>",
"user_sid": {
"string": "<string>",
"valid": true
},
"type": "sharphound"
}
]
}
Authorizations
Authorization: Bearer $JWT_TOKEN
Headers
Prefer header, used to specify a custom timeout in seconds using the wait parameter as per RFC7240.
x >= 0Query Parameters
Filter results by created_at value. See filter schema details for valid predicates.
Filter results by updated_at value. See filter schema details for valid predicates.
Filter results by deleted_at value. See filter schema details for valid predicates.
When a value of true is passed, any Domains associated with scheduled and finished jobs for each client will have expanded properties including name and type. When a value of false is passed, these same Domains will only return as a list of objectids.
When a value of true is passed, any OUs associated with scheduled and finished jobs for each client will have expanded properties including name and type. When a value of false is passed, these same OUs will only return as a list of objectids.
This query parameter is used for determining the number of objects to skip in pagination.
x >= 0This query parameter is used for setting an upper limit of objects returned in paginated responses.
x >= 0Sortable columns are name, ip_address, hostname, configured_user, last_checkin, completed_job_count, created_at, updated_at, deleted_at.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column integer value. Valid filter predicates are eq, neq, gt, gte, lt, lte.
Filter results by column integer value. Valid filter predicates are eq, neq, gt, gte, lt, lte.
Filter results by column string value. Valid filter predicates are eq, ~eq, neq.
Filter results by column string-formatted uuid value. Valid filter predicates are eq, neq.
Response
The total number of results.
x >= 0The number of items to skip in a paginated response.
x >= 0The limit of results requested by the client.
x >= 0This is the unique identifier for this object.
This is the unique identifier for this object.
This is the unique identifier for this object.
This is the unique identifier for this object.
This enum describes the current status of a Job. Values are:
-1Invalid0Ready1Running2Complete3Canceled4Timed Out5Failed6Ingesting7Analyzing8Partially Complete
-1, 0, 1, 2, 3, 4, 5, 6, 7, 8 This is the unique identifier for this object.
Name of the domain that was enumerated
A boolean value indicating whether the domain enumeration succeeded
A status message for a domain enumeration result
A count of users enumerated
A count of groups enumerated
A count of computers enumerated
A count of gpos enumerated
A count of ous enumerated
A count of containers enumerated
A count of aiacas enumerated
A count of rootcas enumerated
A count of enterprisecas enumerated
A count of ntauthstores enumerated
A count of certtemplates enumerated
A count of deleted objects enumerated
This is the unique identifier for this object.
This enum describes the current status of a Job. Values are:
-1Invalid0Ready1Running2Complete3Canceled4Timed Out5Failed6Ingesting7Analyzing8Partially Complete
-1, 0, 1, 2, 3, 4, 5, 6, 7, 8 This is the unique identifier for this object.
Name of the domain that was enumerated
A boolean value indicating whether the domain enumeration succeeded
A status message for a domain enumeration result
A count of users enumerated
A count of groups enumerated
A count of computers enumerated
A count of gpos enumerated
A count of ous enumerated
A count of containers enumerated
A count of aiacas enumerated
A count of rootcas enumerated
A count of enterprisecas enumerated
A count of ntauthstores enumerated
A count of certtemplates enumerated
A count of deleted objects enumerated
This enum describes the collector client type.
sharphound, azurehound {
"count": 1,
"skip": 1,
"limit": 1,
"data": [
{
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "<string>",
"ip_address": "127.0.0.1",
"hostname": "<string>",
"configured_user": "<string>",
"last_checkin": "2023-11-07T05:31:56Z",
"events": [
{
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"rrule": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
]
}
],
"token": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"user_id": {
"uuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"valid": true
},
"name": {
"string": "<string>",
"valid": true
},
"key": "<string>",
"hmac_method": "<string>",
"last_access": "2023-11-07T05:31:56Z"
},
"current_job_id": {
"int64": 123,
"valid": true
},
"current_task_id": {
"int64": 123,
"valid": true
},
"current_job": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"current_task": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"completed_job_count": 123,
"completed_task_count": 123,
"domain_controller": {
"string": "<string>",
"valid": true
},
"version": "<string>",
"user_sid": {
"string": "<string>",
"valid": true
},
"type": "sharphound"
}
]
}