2025-12-02 Release Notes (v8.4.0)

​

Announcements

​

BloodHound Enterprise Splunk App (v1.1.0)

• New Posture History dashboard showing key security metrics and trends over time
• Support for proxy configurations

​

Black Hat Europe 2025

​

Summary

• BloodHound
  • New and Improved Features
    • Privilege Zones
      • Renamed “Selectors” to “Rules” in the UI to improve understanding.
      • Dynamic Edit button now reflects editing context (Zone, Label, or Rule).
      • Refined selection UI to clearly highlight only the currently selected item.
      • Certification for rules now defaults to Initial Members (instead of Off).
      • Added an Environment filter to the Certifications tab.
      • Added default glyph values for built-in Tier Zero zone (gem) and Owned (skull) label.
      • Added icons to the Object Count panel.
      • Renamed SYSTEM to BloodHound for system-generated actions.
      • Replaced references to “tier” with “zone”.
      • Added a tooltip for the Enable Analysis zone configuration option and polished Details panel field naming.
    • Roles and Permissions
      • Added a new Auditor role to provide users with read-only access to all application settings and configurations, including audit log viewing capabilities.
    • Findings and Analysis
      • Modified session and group completeness calculation to align with actual active user/session counts. Local Group and Session Completeness tooltips now clarify that active computers are those that are enabled and have logged in within the last 14 days.
      • [BHE only] Renamed and re-wrote the legacy “Kerberos Delegation on Tier Zero Objects” finding to “Tier Zero Objects Lack Kerberos Delegation Protection” to more accurately communicate the risk presented by the finding. Additionally, this finding only applies to Tier Zero going forward.”
    • API and Backend
      • Added a product_edition field to the /api/version response body to identify the edition of BloodHound being queried (community or enterprise).
  • Bug Fixes
    • Privilege Zones
      • Improved clarity of error messaging when users attempt to add a rule that already exists.
      • [BHE only] Removed outdated Tier Zero/non-Tier Zero labels for non-Tier Zero zones in Findings panel titles.
      • Fixed an issue where changing rule certification from Initial Members to Off left existing members certified instead of pending.
      • Fixed an issue causing duplicate rules across zones and labels.
    • Analysis and Data Quality
      • Ensured CanRDP edges are properly created when Citrix RDP support is enabled and resolved stale edges behavior.
      • [BHE only] Removed unnecessary Tier Zero verbiage from remediation long descriptions.
    • UI and Display
      • [BHE only] Updated the messaging in the Client Token Info modal to provide relevant guidance based on collector client type (AzureHound or SharpHound).
      • [BHE only] Resolved missing graph icons when opening Explore page deep links in a new tab.
      • Fixed an issue where date range validation errors in the Finished Jobs filter could only be resolved by changing the start date, not the end date.
    • API and Backend
      • Fixed an issue preventing users with the Admin role from deleting users who have uploaded data on the File Ingest page.
      • Corrected inaccurate description of the asset_group_tag_id query parameter for the GET /api/v2/posture-history/{data_type} API operation.
      • Fixed an issue preventing the API from returning results for multiple environments.
      • Fixed an issue causing a “Failed to upload” error message when Windows users attempted to upload .zip files in the Saved Queries import dialog.
      • Fixed an issue where uploaded OpenGraph files with invalid edge kinds caused Cypher queries to fail. Validation now ensures that only alphanumeric characters and underscores are allowed.
      • Fixed an issue preventing SSO-authenticated administrators from removing MFA for managed users.
• SharpHound
  • [BHE only] Added two-minute timeout protection to prevent jobs from hanging or taking a long time to complete (especially for local groups and sessions).
  • [BHE only] Added log archiving for failed jobs to prevent loss between jobs and improve troubleshooting.
  • Added a startup log entry that records the running SharpHound and SharpHound Common versions in the run.log file.
  • Added optional runtime logging, improved delegation data validation, and strengthened SID validation to reduce false positives.
• AzureHound
  • Added build-time configuration for enhanced certificate handling on non-Windows platforms.

​

BloodHound (v8.4.0)

​

New and Improved Features

• Privilege Zone Rules (Renamed) - Navigate Privilege Zones with confidence using the new “Rules” terminology instead of “Selectors.” Based on user feedback, we found “Selectors” caused confusion about defining zone membership. The new name better reflects that rules define the criteria that determine which objects belong to a zone.
  
• Context-Aware Edit Button - Avoid accidentally editing the wrong component. The Edit button on the Privilege Zone Management page now dynamically updates to show exactly what you’re editing. When you click the Zones and Labels tabs, you’ll see Edit Zone and Edit Label respectively. If you select a rule in the detail view, the button changes to Edit Rule.
  
• Improved Selection Highlighting - Know exactly what you’re working on in the Privilege Zone Management page with clearer visual feedback. When you select a zone, label, or rule in the Detail view, the vertical blue highlight bar now appears beside your selected item only, making it immediately obvious which component is active.
  
• Smarter Certification Defaults - Automatically tag objects by default after creating a new rule. New rules now default to Initial Members certification instead of Off, making zone management more intuitive and aligned with user expectations.
• Environment Filter on Certifications Tab - Filter certifications by specific environments. The Certifications tab on the Privilege Zone Management page now includes an Environment filter for more targeted certification management.
  
• Default Glyphs for Built-in Zones and Labels - Quickly identify critical assets and compromised objects with default icons. Objects tagged to the built-in Tier Zero zone and Owned label now display gem () or skull () icons by default.
  
• Visual Object Type Indicators - Scan and understand the composition of your zones at a glance. The Total Count panel on the Privilege Zone Management page now displays icons next to each object type, helping you quickly identify what types of objects (e.g., users, groups, computers) are included in each zone.
  
• Clearer System Attribution - Distinguish between system defaults and user modifications. System-created rules and automatic certifications now show BloodHound as the creator instead of SYSTEM. This makes it clearer throughout the interface, including the History tab and rule details, which actions BloodHound automatically performed versus those made by your team members.
  
• Consistent Zone Terminology - Navigate Privilege Zones with confidence using the new “zone” terminology instead of “tier”. We’ve updated terminology across Privilege Zones to consistently use “zone” instead of “tier”. This includes changing references like “multi-tier” to “multi-zone” throughout the interface.
• Better Guidance for Zone Configuration - Get in-product guidance about Privilege Zone configuration options. The Enable Analysis option when editing a zone now includes a helpful tooltip explaining what it does: “Enables Analysis to produce Attack Path Findings for the Zone.” We’ve also refined field labels throughout the zone details panel to be clearer and more consistent.
  
• New Auditor Role - Grant appropriate access to users who need visibility without modification permissions. The new Auditor role provides read-only access to all application settings, configurations, findings, audit logs, and integration service accounts (like the BloodHound Enterprise Splunk App). This eliminates the need to grant full Administrator permissions just to access audit logs or view system configurations.
  
• More Accurate Completeness Metrics - Trust your completeness metrics to reflect real-world coverage. We’ve refined how BloodHound calculates session and local group completeness so it now reflects only truly active computers (enabled and logged in within the last 14 days). Check the updated tooltips on the Posture and Data Quality pages to understand what “active” means and prioritize expanding collection where you see gaps.
  

  
• [BHE only] Revised Kerberos Delegation Risk Finding - Protect Tier Zero from Kerberos delegation abuse. We renamed and re-wrote the legacy “Kerberos Delegation on Tier Zero Objects” finding to “Tier Zero Objects Lack Kerberos Delegation Protection” to more accurately communicate the risk presented by the finding. Additionally, this finding only applies to Tier Zero going forward.
  
• Product Edition in Version API - Identify the BloodHound edition programmatically. The /api/version endpoint now includes a product_edition field in its response body, allowing you to distinguish between Community and Enterprise editions.
  Copy

  Ask AI

  {
     "data": {
       "API": {
         "current_version": "v2",
         "deprecated_version": "v1"
       },
       "server_version": "v8.4.0",
       "product_edition": "enterprise"
     }
   }
  

​

SharpHound (v2.8.1)

• [BHE only] Added two-minute timeout protection to prevent jobs from hanging or taking a long time to complete (especially for local groups and sessions).
• [BHE only] Added log archiving for failed jobs to prevent loss between jobs and improve troubleshooting.
• Added a startup log entry that records the running SharpHound and SharpHound Common versions in the run.log file.
• Added optional runtime logging, improved delegation data validation, and strengthened SID validation to reduce false positives.

​

AzureHound (v2.8.2)