Bloodhound

the bloodhound connector enables automated interactions with bloodhound's security analysis capabilities, facilitating the identification and management of ad attack paths bloodhound is a powerful security analysis tool that maps out active directory and azure ad environments to uncover complex attack paths and potential security vulnerabilities the bloodhound turbine connector allows swimlane turbine users to integrate bloodhound's advanced attack path analytics and risk assessment capabilities directly into their security workflows by leveraging this connector, security teams can automate the extraction of attack path findings, domain risk analysis, and threat identification, enhancing their ability to proactively defend against sophisticated cyber threats limitations none to date supported versions this bloodhound connector uses the version 2 api additional docs https //bloodhound specterops io/reference/overview https //support bloodhoundenterprise io/hc/en us/articles/11311053342619 working with the bloodhound api configuration prerequisites to effectively utilize the bloodhound connector for turbine, ensure you have the following prerequisites http bearer authentication with these parameters url endpoint for the bloodhound api token bearer token such as jwt to authenticate api requests custom authentication with these parameters url endpoint for the bloodhound api id unique identifier for custom authentication key secret key associated with the custom id for authentication authentication methods http basic authentication url the endpoint url for the bloodhound api username your bloodhound username with sufficient permissions password the password associated with your bloodhound account custom authentication with the following parameters url the endpoint url for the bloodhound api token id the id of the asset token key the key of the asset capabilities this bloodhound connector provides the following capabilities export attack path findings get available domains list attack path sparkline values list available attack paths list domain attack paths details list saved queries list all attack path types run a cypher query search for objects start analysis update attack path risk export attack path findings export the finding table for a given attack path bloodhound's documentation for this action can be found \[here] https //bloodhound specterops io/reference/attack paths/export attack path findings ) get available domains gets available domains along with their collection status bloodhound's documentation for this action can be found https //bloodhound specterops io/reference/search/get available domains list attack path sparkline values list the values that represent the sparklines for individual attack paths bloodhound's documentation for this action can be found https //bloodhound specterops io/reference/attack paths/list attack path sparkline values list available attack paths lists all possible attack path types bloodhound's documentation for this action can be found https //bloodhound specterops io/reference/attack paths/list available attack paths list domain attack paths details lists detailed data about attack paths for a domain bloodhound's documentation for this action can be found https //bloodhound specterops io/reference/attack paths/list domain attack paths details list saved queries get all saved queries for the current user bloodhound's documentation for this action can be found https //bloodhound specterops io/reference/cypher/list saved queries list all attack path types lists all possible attack path types bloodhound's documentation for this action can be found https //bloodhound specterops io/reference/attack paths/list all attack path types run a cypher query runs a manual cypher query directly against the database bloodhound's documentation for this action can be found https //bloodhound specterops io/reference/cypher/run a cypher query search for objects search for graph objects by name or object id, filtered by type bloodhound's documentation for this action can be found \[here] https //bloodhound specterops io/reference/search/search for objects ) start analysis starts generating attack paths bloodhound's documentation for this action can be found https //bloodhound specterops io/reference/attack paths/start analysis update attack path risk updates an attack path as an accepted or unaccepted risk until a given time bloodhound's documentation for this action can be found https //bloodhound specterops io/reference/attack paths/update attack path risk configurations bloodhound asset authenticates using bearer token id and token key configuration parameters parameter description type required url a url to the target host string required token id the id of the asset string required token key the key of the asset string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional bloodhound http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the jwt token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions export attack path findings exports a findings table for an attack path in bloodhound using the specified domain id and finding parameters endpoint url /api/v2/domains/{{domain id}}/attack path findings method get input argument name type required description path parameters domain id string required the id of the domain to export findings for headers object optional http headers for the request headers prefer number optional http headers for the request parameters sort by string optional sort by column the only sortable column is finding parameters finding string required finding type parameters filteraccepted string optional risk acceptance filter input example {"parameters" {"sort by" "compositerisk","finding" "compositerisk","filteraccepted" "accepted"},"path parameters" {"domain id" "123"},"headers" {"prefer" 0}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" "header1,header2,header3\ncell1,cell2,cell3\ncell4,cell5,cell6\n \n"} get available domains retrieves a list of available domains along with their collection statuses from bloodhound endpoint url /api/v2/available domains method get input argument name type required description headers object optional http headers for the request headers prefer number optional http headers for the request parameters sort by string optional sortable columns are objectid, name parameters objectid string optional filter results by column string value valid filter predicates are eq, eq, neq parameters name string optional filter results by column string value valid filter predicates are eq, eq, neq parameters collected string optional filter results by column string value valid filter predicates are eq, eq, neq input example {"parameters" {"sort by" "compositerisk","objectid" "34234","name" "composite","collected" "composite"},"headers" {"prefer" 0}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data type string response data data name string response data data id string response data data collected boolean response data output example {"status code" 200,"reason" "ok","json body" {"data" \[{}]}} list all attack path types retrieve all possible attack path types from bloodhound for comprehensive analysis and strategic planning endpoint url /api/v2/attack path types method get input argument name type required description headers object optional http headers for the request headers prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 parameters sort by string optional sort by column the only sortable column is finding parameters finding string optional filter results by column string value valid filter predicates are eq, eq, neq input example {"parameters" {"sort by" "compositerisk","finding" "compositerisk"},"headers" {"prefer" 0}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data output example {"status code" 200,"reason" "ok","json body" {"data" \["\<string>"]}} list attack path sparkline values lists sparkline values for attack paths in a specified domain on bloodhound, requiring domain id and finding parameters endpoint url /api/v2/domains/{{domain id}}/sparkline method get input argument name type required description path parameters domain id string required the id of the domain to list the sparkline values for headers object optional http headers for the request headers prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 parameters sort by string optional sortable columns are compositerisk, findingcount, impactedassetcount, domain sid, id, created at, updated at, deleted at parameters finding string required filter results by column string value valid filter predicates are eq, eq, neq parameters from string optional beginning datetime of range (inclusive) in rfc 3339 format; defaults to current datetime minus 30 days parameters to string optional ending datetime of range (exclusive) in rfc 3339 format; defaults to current datetime input example {"parameters" {"sort by" "compositerisk","finding" "eq","from" "2023 09 01t00 00 00z","to" "2024 10 01t00 00 00z"},"path parameters" {"domain id" " 123"},"headers" {"prefer" 0}} output parameter type description status code number http status code of the response reason string response reason phrase start string output field start end string output field end data array response data data id number response data data created at string response data data updated at string response data data deleted at object response data data deleted at time string response data data deleted at valid boolean response data data compositerisk number response data data findingcount number response data data impactedassetcount number response data data domainsid string response data data finding string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"start" "2023 11 07t05 31 56z","end" "2023 11 07t05 31 56z","data" \[{}]}} list available attack paths lists all possible attack paths for a given domain in bloodhound, using the domain id as a path parameter endpoint url /api/v2/domains/{{domain id}}/available types method get input argument name type required description path parameters domain id string required parameters for the list available attack paths action headers object optional http headers for the request headers prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 parameters sort by string optional sort by column the only sortable column is finding parameters finding string optional filter results by column string value valid filter predicates are eq, eq, neq input example {"parameters" {"sort by" "compositerisk","finding" "compositerisk"},"path parameters" {"domain id" " 123"},"headers" {"prefer" 0}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data output example {"status code" 200,"reason" "ok","json body" {"data" \["\<string>"]}} list domain attack paths details retrieve detailed attack path information for a specified domain in bloodhound, utilizing the domain id and finding parameters endpoint url /api/v2/domains/{{domain id}}/details method get input argument name type required description path parameters domain id string required domain id headers object optional http headers for the request headers prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 parameters finding string required filter results by column string value valid filter predicates are eq, eq, neq parameters sort by string optional sortable columns are domain sid, index, accepteduntil, id, created at, updated at, deleted at, exposure percentage, impact percentage relationship risks can be sorted on fromprincipal and toprincipal in addition to the sortable columns for list risks parameters from principal string optional filter results by column string value valid filter predicates are eq, eq, neq parameters to principal string optional filter results by column string value valid filter predicates are eq, eq, neq parameters principals hash string optional filter results by column string value valid filter predicates are eq, eq, neq parameters accepted until string optional filter results by column timestamp value formatted as an rfc 3339 string valid filter predicates are eq, neq, gt, gte, lt, lte parameters principal string optional filter results by column string value valid filter predicates are eq, eq, neq parameters domain sid string optional filter results by column string value valid filter predicates are eq, eq, neq parameters id integer optional filter results by column integer value valid filter predicates are eq, neq, gt, gte, lt, lte parameters created at string optional filter results by created at value see filter schema details for valid predicates parameters updated at string optional filter results by updated at value see filter schema details for valid predicates parameters deleted at string optional filter results by deleted at value see filter schema details for valid predicates parameters limit integer optional this query parameter is used for setting an upper limit of objects returned in paginated responses required range x >= 0 parameters skip integer optional this query parameter is used for determining the number of objects to skip in pagination required range x >= 0 input example {"parameters" {"sort by" "compositerisk","finding" "eq","from principal" "eq","to principal" "eq","principals hash" "eq","accepted until" "2024 10 01t00 00 00z","principal" "eq","id" "eq","created at" "2024 10 01t00 00 00z","updated at" "2024 10 01t00 00 00z","deleted at" "2024 10 01t00 00 00z","limit" 100,"skip" 0},"path parameters" {"domain id" "123"},"headers" {"prefer" 0}} output parameter type description status code number http status code of the response reason string response reason phrase count number count value skip number output field skip limit number output field limit data array response data data id number response data data created at string response data data updated at string response data data deleted at object response data data deleted at time string response data data deleted at valid boolean response data data fromprincipal string response data data toprincipal string response data data fromprincipalprops object response data data fromprincipalprops additionalprop1 object response data data fromprincipalprops additionalprop2 object response data data fromprincipalprops additionalprop3 object response data data fromprincipalkind string response data data toprincipalprops object response data data toprincipalprops additionalprop1 object response data data toprincipalprops additionalprop2 object response data data toprincipalprops additionalprop3 object response data data toprincipalkind string response data data relprops object response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"count" 0,"skip" 0,"limit" 0,"data" \[{}]}} list saved queries retrieve all saved queries associated with the current user in bloodhound endpoint url /api/v2/saved queries method get input argument name type required description headers object optional http headers for the request headers prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 parameters skip number optional this query parameter is used for determining the number of objects to skip in pagination required range x >= 0 parameters limit number optional this query parameter is used for setting an upper limit of objects returned in paginated responses required range x >= 0 parameters sort by string optional sortable columns are user id, name, query, id, created at, updated at, deleted at parameters name string optional filter results by column string value valid filter predicates are eq, eq, neq parameters query string optional filter results by column string value valid filter predicates are eq, eq, neq parameters user id string optional filter results by column string value valid filter predicates are eq, eq, neq parameters scope string optional the contains predicate checks a property against the values in a given comma separated list in checks if the property matches an element in the given comma separated list example in \ contains ,getchangesall,memberof nin checks if the property does not match an element in the given comma separated list example nin \ localtocomputer ,memberoflocalgroup input example {"parameters" {"skip" 0,"limit" 10,"sort by" "user id","name" "eq\ example name","query" "eq\ example query","user id" "eq\ example user id","scope" "in\ contains,getchangesall,memberof"},"headers" {"prefer" 0}} output parameter type description status code number http status code of the response reason string response reason phrase count number count value skip number output field skip limit number output field limit data array response data data id number response data data created at string response data data updated at string response data data deleted at object response data data deleted at time string response data data deleted at valid boolean response data data user id string response data data name string response data data query string response data data description string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"count" 1,"skip" 1,"limit" 1,"data" \[{}]}} run a cypher query execute a manual cypher query against the bloodhound database to retrieve specific graph data endpoint url /api/v2/graphs/cypher method post input argument name type required description headers object optional http headers for the request headers prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 query string optional the cypher query to be executed this is a string value that represents the cypher query to be run against the database include properties boolean optional include properties in the response this is a boolean value that determines whether to include properties in the response input example {"json body" {"query" "","include properties"\ true},"headers" {"prefer" 0}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data nodes object response data data edges array response data data edges source string response data data edges target string response data data edges label string response data data edges kind string response data data edges lastseen string response data data edges properties object response data output example {"status code" 200,"reason" "ok","json body" {"data" {"nodes" {},"edges" \[]}}} search for objects performs a search for graph objects in bloodhound using name or object id, with optional type filtering and requires 'q' parameter endpoint url /api/v2/search method get input argument name type required description headers object optional http headers for the request headers prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 parameters q string required search parameter for the name or object id of a node parameters type string optional node type some ad examples base, user, computer, group, container some azure examples azbase, azapp, azdevice parameters skip number optional this query parameter is used for determining the number of objects to skip in pagination required range x >= 0 parameters limit number optional this query parameter is used for setting an upper limit of objects returned in paginated responses required range x >= 0 input example {"parameters" {"q" "683767","type" "base","skip" 0,"limit" 10},"headers" {"prefer" 0}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data objectid string response data data type string response data data name string response data data distinguishedname string response data data system tags string response data output example {"status code" 200,"reason" "ok","json body" {"data" \[{}]}} start analysis initiates the generation of attack paths within the bloodhound application to identify potential security threats endpoint url /api/v2/attack paths method put input argument name type required description headers object optional http headers for the request headers prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 input example {"headers" {"prefer" 0}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok"} update attack path risk updates the risk status of a specified attack path in bloodhound using the provided attack path id, with an optional expiration time endpoint url /api/v2/attack paths/{{attack path id}}/acceptance method put input argument name type required description path parameters attack path id number required the id of the attack path to update headers object optional http headers for the request headers prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 risk type string optional the type of risk to be accepted or unaccepted accept until string optional the date and time until the risk is accepted accepted boolean optional indicates whether the risk is accepted or unaccepted input example {"json body" {"risk type" "high","accept until" "2024 08 28t21 42 18 844z","accepted"\ true},"path parameters" {"attack path id" 123},"headers" {"prefer" 0}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id number response data data created at string response data data updated at string response data data deleted at object response data data deleted at time string response data data deleted at valid boolean response data data principal string response data data principalkind string response data data finding string response data data domainsid string response data data props object response data data accepted until string response data data impactpercentage number response data data impactcount number response data data severity string response data output example {"status code" 200,"reason" "ok","json body" {"data" {"id" 123,"created at" "2023 11 07t05 31 56z","updated at" "2023 11 07t05 31 56z","deleted at" {},"principal" "\<string>","principalkind" "\<string>","finding" "\<string>","domainsid" "\<string>","props" {},"accepted until" "2023 11 07t05 31 56z","impactpercentage" 123,"impactcount" 123,"severity" "critical"}}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt