Bloodhound

the bloodhound connector enables automated interactions with bloodhound's security analysis capabilities, facilitating the identification and management of ad attack paths bloodhound is a powerful security analysis tool that maps out active directory and azure ad environments to uncover complex attack paths and potential security vulnerabilities the bloodhound turbine connector allows swimlane turbine users to integrate bloodhound's advanced attack path analytics and risk assessment capabilities directly into their security workflows by leveraging this connector, security teams can automate the extraction of attack path findings, domain risk analysis, and threat identification, enhancing their ability to proactively defend against sophisticated cyber threats limitations none to date supported versions this bloodhound connector uses the version 2 api additional docs bloodhound authentication link https //bloodhound specterops io/reference/overviewbloodhound api documentation link https //support bloodhoundenterprise io/hc/en us/articles/11311053342619 working with the bloodhound api configuration prerequisites to effectively utilize the bloodhound connector for turbine, ensure you have the following prerequisites http bearer authentication with these parameters url endpoint for the bloodhound api token bearer token such as jwt to authenticate api requests custom authentication with these parameters url endpoint for the bloodhound api id unique identifier for custom authentication key secret key associated with the custom id for authentication authentication methods http basic authentication url the endpoint url for the bloodhound api username your bloodhound username with sufficient permissions password the password associated with your bloodhound account custom authentication with the following parameters url the endpoint url for the bloodhound api token id the id of the asset token key the key of the asset capabilities this bloodhound connector provides the following capabilities export attack path findings get available domains list attack path sparkline values list available attack paths list domain attack paths details list saved queries list all attack path types run a cypher query search for objects start analysis update attack path risk export attack path findings export the finding table for a given attack path bloodhound's documentation for this action can be found \[here] https //bloodhound specterops io/reference/attack paths/export attack path findings https //bloodhound specterops io/reference/attack paths/export attack path findings ) get available domains gets available domains along with their collection status bloodhound's documentation for this action can be found here https //bloodhound specterops io/reference/search/get available domains list attack path sparkline values list the values that represent the sparklines for individual attack paths bloodhound's documentation for this action can be found here https //bloodhound specterops io/reference/attack paths/list attack path sparkline values list available attack paths lists all possible attack path types bloodhound's documentation for this action can be found here https //bloodhound specterops io/reference/attack paths/list available attack paths list domain attack paths details lists detailed data about attack paths for a domain bloodhound's documentation for this action can be found here https //bloodhound specterops io/reference/attack paths/list domain attack paths details list saved queries get all saved queries for the current user bloodhound's documentation for this action can be found here https //bloodhound specterops io/reference/cypher/list saved queries list all attack path types lists all possible attack path types bloodhound's documentation for this action can be found here https //bloodhound specterops io/reference/attack paths/list all attack path types run a cypher query runs a manual cypher query directly against the database bloodhound's documentation for this action can be found here https //bloodhound specterops io/reference/cypher/run a cypher query search for objects search for graph objects by name or object id, filtered by type bloodhound's documentation for this action can be found \[here] https //bloodhound specterops io/reference/search/search for objects https //bloodhound specterops io/reference/search/search for objects ) start analysis starts generating attack paths bloodhound's documentation for this action can be found here https //bloodhound specterops io/reference/attack paths/start analysis update attack path risk updates an attack path as an accepted or unaccepted risk until a given time bloodhound's documentation for this action can be found here https //bloodhound specterops io/reference/attack paths/update attack path risk configurations bloodhound asset authenticates using bearer token id and token key configuration parameters parameter description type required url a url to the target host string required token id the id of the asset string required token key the key of the asset string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional bloodhound http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the jwt token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions export attack path findings exports a findings table for an attack path in bloodhound using the specified domain id and finding parameters endpoint url /api/v2/domains/{{domain id}}/attack path findings method get input argument name type required description domain id string required the id of the domain to export findings for headers object optional http headers for the request prefer number optional parameter for export attack path findings sort by string optional sort by column the only sortable column is finding finding string required finding type filteraccepted string optional risk acceptance filter output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" "header1,header2,header3\ncell1,cell2,cell3\ncell4,cell5,cell6\n \n" } ] get available domains retrieves a list of available domains along with their collection statuses from bloodhound endpoint url /api/v2/available domains method get input argument name type required description headers object optional http headers for the request prefer number optional parameter for get available domains sort by string optional sortable columns are objectid, name objectid string optional filter results by column string value valid filter predicates are eq, eq, neq name string optional filter results by column string value valid filter predicates are eq, eq, neq collected string optional filter results by column string value valid filter predicates are eq, eq, neq output parameter type description status code number http status code of the response reason string response reason phrase data array response data type string type of the resource name string name of the resource id string unique identifier collected boolean output field collected example \[ { "status code" 200, "reason" "ok", "json body" { "data" \[] } } ] list all attack path types retrieve all possible attack path types from bloodhound for comprehensive analysis and strategic planning endpoint url /api/v2/attack path types method get input argument name type required description headers object optional http headers for the request prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 sort by string optional sort by column the only sortable column is finding finding string optional filter results by column string value valid filter predicates are eq, eq, neq output parameter type description status code number http status code of the response reason string response reason phrase data array response data example \[ { "status code" 200, "reason" "ok", "json body" { "data" \[] } } ] list attack path sparkline values lists sparkline values for attack paths in a specified domain on bloodhound, requiring domain id and finding parameters endpoint url /api/v2/domains/{{domain id}}/sparkline method get input argument name type required description domain id string required the id of the domain to list the sparkline values for headers object optional http headers for the request prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 sort by string optional sortable columns are compositerisk, findingcount, impactedassetcount, domain sid, id, created at, updated at, deleted at finding string required filter results by column string value valid filter predicates are eq, eq, neq from string optional beginning datetime of range (inclusive) in rfc 3339 format; defaults to current datetime minus 30 days to string optional ending datetime of range (exclusive) in rfc 3339 format; defaults to current datetime output parameter type description status code number http status code of the response reason string response reason phrase start string output field start end string output field end data array response data id number unique identifier created at string output field created at updated at string output field updated at deleted at object output field deleted at time string time value valid boolean unique identifier compositerisk number output field compositerisk findingcount number count value impactedassetcount number count value domainsid string unique identifier finding string output field finding example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "start" "2023 11 07t05 31 56z", "end" "2023 11 07t05 31 56z", "data" \[] } } ] list available attack paths lists all possible attack paths for a given domain in bloodhound, using the domain id as a path parameter endpoint url /api/v2/domains/{{domain id}}/available types method get input argument name type required description domain id string required unique identifier headers object optional http headers for the request prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 sort by string optional sort by column the only sortable column is finding finding string optional filter results by column string value valid filter predicates are eq, eq, neq output parameter type description status code number http status code of the response reason string response reason phrase data array response data example \[ { "status code" 200, "reason" "ok", "json body" { "data" \[] } } ] list domain attack paths details retrieve detailed attack path information for a specified domain in bloodhound, utilizing the domain id and finding parameters endpoint url /api/v2/domains/{{domain id}}/details method get input argument name type required description domain id string required domain id headers object optional http headers for the request prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 finding string required filter results by column string value valid filter predicates are eq, eq, neq sort by string optional sortable columns are domain sid, index, accepteduntil, id, created at, updated at, deleted at, exposure percentage, impact percentage relationship risks can be sorted on fromprincipal and toprincipal in addition to the sortable columns for list risks from principal string optional filter results by column string value valid filter predicates are eq, eq, neq to principal string optional filter results by column string value valid filter predicates are eq, eq, neq principals hash string optional filter results by column string value valid filter predicates are eq, eq, neq accepted until string optional filter results by column timestamp value formatted as an rfc 3339 string valid filter predicates are eq, neq, gt, gte, lt, lte principal string optional filter results by column string value valid filter predicates are eq, eq, neq domain sid string optional filter results by column string value valid filter predicates are eq, eq, neq id integer optional filter results by column integer value valid filter predicates are eq, neq, gt, gte, lt, lte created at string optional filter results by created at value see filter schema details for valid predicates updated at string optional filter results by updated at value see filter schema details for valid predicates deleted at string optional filter results by deleted at value see filter schema details for valid predicates limit integer optional this query parameter is used for setting an upper limit of objects returned in paginated responses required range x >= 0 skip integer optional this query parameter is used for determining the number of objects to skip in pagination required range x >= 0 output parameter type description status code number http status code of the response reason string response reason phrase count number count value skip number output field skip limit number output field limit data array response data id number unique identifier created at string output field created at updated at string output field updated at deleted at object output field deleted at time string time value valid boolean unique identifier fromprincipal string output field fromprincipal toprincipal string output field toprincipal fromprincipalprops object output field fromprincipalprops additionalprop1 object output field additionalprop1 additionalprop2 object output field additionalprop2 additionalprop3 object output field additionalprop3 fromprincipalkind string output field fromprincipalkind toprincipalprops object output field toprincipalprops additionalprop1 object output field additionalprop1 additionalprop2 object output field additionalprop2 additionalprop3 object output field additionalprop3 toprincipalkind string output field toprincipalkind relprops object output field relprops example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "count" 0, "skip" 0, "limit" 0, "data" \[] } } ] list saved queries retrieve all saved queries associated with the current user in bloodhound endpoint url /api/v2/saved queries method get input argument name type required description headers object optional http headers for the request prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 skip number optional this query parameter is used for determining the number of objects to skip in pagination required range x >= 0 limit number optional this query parameter is used for setting an upper limit of objects returned in paginated responses required range x >= 0 sort by string optional sortable columns are user id, name, query, id, created at, updated at, deleted at name string optional filter results by column string value valid filter predicates are eq, eq, neq query string optional filter results by column string value valid filter predicates are eq, eq, neq user id string optional filter results by column string value valid filter predicates are eq, eq, neq scope string optional the contains predicate checks a property against the values in a given comma separated list in checks if the property matches an element in the given comma separated list example in \ contains ,getchangesall,memberof nin checks if the property does not match an element in the given comma separated list example nin \ localtocomputer ,memberoflocalgroup output parameter type description status code number http status code of the response reason string response reason phrase count number count value skip number output field skip limit number output field limit data array response data id number unique identifier created at string output field created at updated at string output field updated at deleted at object output field deleted at time string time value valid boolean unique identifier user id string unique identifier name string name of the resource query string output field query description string output field description example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "count" 1, "skip" 1, "limit" 1, "data" \[] } } ] run a cypher query execute a manual cypher query against the bloodhound database to retrieve specific graph data endpoint url /api/v2/graphs/cypher method post input argument name type required description headers object optional http headers for the request prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 query string optional the cypher query to be executed this is a string value that represents the cypher query to be run against the database include properties boolean optional include properties in the response this is a boolean value that determines whether to include properties in the response output parameter type description status code number http status code of the response reason string response reason phrase data object response data nodes object output field nodes edges array output field edges source string output field source target string output field target label string output field label kind string output field kind lastseen string output field lastseen properties object output field properties example \[ { "status code" 200, "reason" "ok", "json body" { "data" {} } } ] search for objects performs a search for graph objects in bloodhound using name or object id, with optional type filtering and requires 'q' parameter endpoint url /api/v2/search method get input argument name type required description headers object optional http headers for the request prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 q string required search parameter for the name or object id of a node type string optional node type some ad examples base, user, computer, group, container some azure examples azbase, azapp, azdevice skip number optional this query parameter is used for determining the number of objects to skip in pagination required range x >= 0 limit number optional this query parameter is used for setting an upper limit of objects returned in paginated responses required range x >= 0 output parameter type description status code number http status code of the response reason string response reason phrase data array response data objectid string unique identifier type string type of the resource name string name of the resource distinguishedname string name of the resource system tags string output field system tags example \[ { "status code" 200, "reason" "ok", "json body" { "data" \[] } } ] start analysis initiates the generation of attack paths within the bloodhound application to identify potential security threats endpoint url /api/v2/attack paths method put input argument name type required description headers object optional http headers for the request prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok" } ] update attack path risk updates the risk status of a specified attack path in bloodhound using the provided attack path id, with an optional expiration time endpoint url /api/v2/attack paths/{{attack path id}}/acceptance method put input argument name type required description attack path id number required the id of the attack path to update headers object optional http headers for the request prefer number optional prefer header, used to specify a custom timeout in seconds using the wait parameter as per rfc7240 required range x >= 0 risk type string optional the type of risk to be accepted or unaccepted accept until string optional the date and time until the risk is accepted accepted boolean optional indicates whether the risk is accepted or unaccepted output parameter type description status code number http status code of the response reason string response reason phrase data object response data id number unique identifier created at string output field created at updated at string output field updated at deleted at object output field deleted at time string time value valid boolean unique identifier principal string output field principal principalkind string output field principalkind finding string output field finding domainsid string unique identifier props object output field props accepted until string output field accepted until impactpercentage number output field impactpercentage impactcount number count value severity string output field severity example \[ { "status code" 200, "reason" "ok", "json body" { "data" {} } } ]