Get Started
Auth
- POSTLogin to BloodHound
- POSTLogout of BloodHound
- GETGet self
- GETList SAML Providers
- GETGet all SAML sign on endpoints
- POSTCreate a New SAML Provider from Metadata
- GETGet SAML Provider
- DELDelete a SAML Provider
- GETList SSO Providers
- POSTCreate OIDC Provider
- POSTCreate a New SAML Provider from Metadata
- DELDelete SSO Provider
- PATCHUpdate SSO Provider
- GETGet SAML Provider Signing Certificate
Permissions
BloodHound Users
- GETList Users
- POSTCreate a New User
- GETGet a user
- DELDelete a User
- PATCHUpdate a User
- PUTCreate or Set User Secret
- DELExpire User Secret
- POSTEnrolls user in multi-factor authentication
- DELUnenroll user from multi-factor authentication
- GETReturns MFA activation status for a user
- POSTActivates MFA for an enrolled user
Collectors
Collection Uploads
Audit
Config
Asset Isolation
- GETList all asset isolation groups
- POSTCreate an asset group
- GETGet asset group by ID
- PUTUpdate an asset group
- DELDelete an asset group
- GETList asset group collections
- PUTUpdate asset group selectors
- POSTUpdate asset group selectors
- DELDelete an asset group selector
- GETGet asset group custom member count
- GETList all asset isolation group members
- GETList asset group member count by kind
Graph
Cypher
Azure Entities
Computers
- GETGet computer entity info
- GETGet computer entity admin rights
- GETGet computer entity admins
- GETGet computer entity constrained delegation rights
- GETGet computer entity constrained users
- GETGet computer entity controllables
- GETGet computer entity controllers
- GETGet computer entity DCOM rights
- GETGet computer entity DCOM users
- GETGet computer entity group membership
- GETGet computer entity remote PowerShell rights
- GETGet computer entity remote PowerShell users
- GETGet computer entity RDP rights
- GETGet computer entity RDP users
- GETGet computer entity sessions
- GETGet computer entity SQL admins
Domains
- GETGet domain entity info
- PATCHUpdate the Domain entity
- GETGet domain entity computers
- GETGet domain entity controllers
- GETGet domain entity DC Syncers
- GETGet domain entity foreign admins
- GETGet domain entity foreign GPO controllers
- GETGet domain entity foregin groups
- GETGet domain entity foreign users
- GETGet domain entity GPOs
- GETGet domain entity groups
- GETGet domain entity inbound trusts
- GETGet domain entity linked GPOs
- GETGet domain entity OUs
- GETGet domain entity outbound trusts
- GETGet domain entity users
GPOs
OUs
AD Users
- GETGet User entity info
- GETGet User entity admin rights
- GETGet User entity constrained delegation rights
- GETGet User entity controllables
- GETGet User entity controllers
- GETGet User entity DCOM rights
- GETGet User entity membership
- GETGet User entity PowerShell remote rights
- GETGet User entity RDP rights
- GETGet User entity sessions
- GETGet User entity SQL admin rights
Groups
- GETGet Group entity info
- GETGet Group entity admin rights
- GETGet Group entity controllables
- GETGet Group entity controllers
- GETGet Group entity DCOMRights
- GETGet Group entity members
- GETGet Group entity memberships
- GETGet Group entity PowerShell remote rights
- GETGet Group entity RDP rights
- GETGet Group entity sessions
Data Quality
Database
EULA
Analysis
Client Ingest
Clients
- GETList Clients
- POSTCreate Client
- POSTClient Error
- PUTUpdate Client Values
- GETGet Client
- PUTUpdate Client
- DELDelete Client
- PUTRegenerate the authentication token for a client
- GETList all completed tasks for a client
- GETList all completed jobs for a client
- POSTCreates a scheduled task
- POSTCreates a scheduled job
Jobs
Events (Schedules)
Attack Paths
Risk Posture
Meta Entities
List Clients
Lists available clients for processing collection events.
{
"count": 1,
"skip": 1,
"limit": 1,
"data": [
{
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "<string>",
"ip_address": "127.0.0.1",
"hostname": "<string>",
"configured_user": "<string>",
"last_checkin": "2023-11-07T05:31:56Z",
"events": [
{
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"rrule": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
]
}
],
"token": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"user_id": {
"uuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"valid": true
},
"name": {
"string": "<string>",
"valid": true
},
"key": "<string>",
"hmac_method": "<string>",
"last_access": "2023-11-07T05:31:56Z"
},
"current_job_id": {
"int64": 123,
"valid": true
},
"current_task_id": {
"int64": 123,
"valid": true
},
"current_job": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"current_task": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"completed_job_count": 123,
"completed_task_count": 123,
"domain_controller": {
"string": "<string>",
"valid": true
},
"version": "<string>",
"user_sid": {
"string": "<string>",
"valid": true
},
"type": "sharphound"
}
]
}
Authorizations
Authorization: Bearer $JWT_TOKEN
Headers
Prefer header, used to specify a custom timeout in seconds using the wait parameter as per RFC7240.
x >= 0
Query Parameters
Filter results by created_at
value. See filter schema details for valid predicates.
Filter results by updated_at
value. See filter schema details for valid predicates.
Filter results by deleted_at
value. See filter schema details for valid predicates.
When a value of true
is passed, any Domains associated with scheduled and finished jobs for each client will have expanded properties including name
and type
. When a value of false
is passed, these same Domains will only return as a list of objectid
s.
When a value of true
is passed, any OUs associated with scheduled and finished jobs for each client will have expanded properties including name
and type
. When a value of false
is passed, these same OUs will only return as a list of objectid
s.
This query parameter is used for determining the number of objects to skip in pagination.
x >= 0
This query parameter is used for setting an upper limit of objects returned in paginated responses.
x >= 0
Sortable columns are name
, ip_address
, hostname
, configured_user
, last_checkin
, completed_job_count
, created_at
, updated_at
, deleted_at
.
Filter results by column string value. Valid filter predicates are eq
, ~eq
, neq
.
Filter results by column string value. Valid filter predicates are eq
, ~eq
, neq
.
Filter results by column string value. Valid filter predicates are eq
, ~eq
, neq
.
Filter results by column string value. Valid filter predicates are eq
, ~eq
, neq
.
Filter results by column string value. Valid filter predicates are eq
, ~eq
, neq
.
Filter results by column string value. Valid filter predicates are eq
, ~eq
, neq
.
Filter results by column string value. Valid filter predicates are eq
, ~eq
, neq
.
Filter results by column integer value. Valid filter predicates are eq
, neq
, gt
, gte
, lt
, lte
.
Filter results by column integer value. Valid filter predicates are eq
, neq
, gt
, gte
, lt
, lte
.
Filter results by column string value. Valid filter predicates are eq
, ~eq
, neq
.
Filter results by column string-formatted uuid value. Valid filter predicates are eq
, neq
.
Response
The response is of type object
.
{
"count": 1,
"skip": 1,
"limit": 1,
"data": [
{
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "<string>",
"ip_address": "127.0.0.1",
"hostname": "<string>",
"configured_user": "<string>",
"last_checkin": "2023-11-07T05:31:56Z",
"events": [
{
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"rrule": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
]
}
],
"token": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"user_id": {
"uuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"valid": true
},
"name": {
"string": "<string>",
"valid": true
},
"key": "<string>",
"hmac_method": "<string>",
"last_access": "2023-11-07T05:31:56Z"
},
"current_job_id": {
"int64": 123,
"valid": true
},
"current_task_id": {
"int64": 123,
"valid": true
},
"current_job": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"current_task": {
"id": 123,
"client_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"client_name": "<string>",
"event_id": {
"int32": 123,
"valid": true
},
"execution_time": "2023-11-07T05:31:56Z",
"start_time": "2023-11-07T05:31:56Z",
"end_time": "2023-11-07T05:31:56Z",
"status": -1,
"status_message": "<string>",
"session_collection": true,
"local_group_collection": true,
"ad_structure_collection": true,
"cert_services_collection": true,
"ca_registry_collection": true,
"dc_registry_collection": true,
"all_trusted_domains": true,
"domain_controller": "<string>",
"ous": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"distinguishedname": "<string>",
"type": "<string>"
}
],
"domains": [
{
"objectid": "<string>",
"name": "<string>",
"exists": true,
"type": "<string>"
}
],
"domain_results": [
{
"id": 123,
"created_at": "2023-11-07T05:31:56Z",
"updated_at": "2023-11-07T05:31:56Z",
"deleted_at": {
"time": "2023-11-07T05:31:56Z",
"valid": true
},
"job_id": 123,
"domain_name": "<string>",
"success": true,
"message": "<string>",
"user_count": 123,
"group_count": 123,
"computer_count": 123,
"gpo_count": 123,
"ou_count": 123,
"container_count": 123,
"aiaca_count": 123,
"rootca_count": 123,
"enterpriseca_count": 123,
"ntauthstore_count": 123,
"certtemplate_count": 123,
"deleted_count": 123
}
]
},
"completed_job_count": 123,
"completed_task_count": 123,
"domain_controller": {
"string": "<string>",
"valid": true
},
"version": "<string>",
"user_sid": {
"string": "<string>",
"valid": true
},
"type": "sharphound"
}
]
}