
BloodHound Enterprise
Identity Management- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The BloodHound Enterprise connector integrates with BloodHound Enterprise, SpecterOps' Attack Path Management platform for Active Directory and Azure AD/Entra ID environments. It syncs attack-path findings and the identity assets involved in those paths.
For each attack-path finding it pulls from the BloodHound Enterprise API, the connector emits:
- Findings — individual attack-path exposures, modeled as violations.
- Violation Definitions — the finding catalog entries (descriptions, remediation, references).
- Computers, Users, and Groups — the Active Directory / Azure identity assets that are the targets of findings.
All data is derived from the attack-path details feed; the connector parses that feed once per sync and routes each record to the appropriate model.
Data retrieved from BloodHound Enterprise
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Finding | Yes | Violation |
| Violation Definition | Yes | Violation Definition |
| Computer | Yes | Host |
| User | Yes | Person |
| Group | Yes | Team |
Model relationships
For detailed steps on how to view the data retrieved from BloodHound Enterprise in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select BloodHound Enterprise from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | No | — | BloodHound Enterprise API URL |
| API ID | No | — | BloodHound Enterprise API ID |
| API Key | No | — | BloodHound Enterprise API Key |
| Sync all findings | No | — | This will sync all findings from bloodhound. if selected some of the findings will not be related to assets in Brinqa. |
Authentication
BloodHound Enterprise uses a request-signing scheme based on HMAC-SHA256. Every request carries an API ID and a per-request signature derived from the secret API key; no token-exchange round trip is required.
Each outbound request includes the following headers:
| Header | Value |
|---|---|
Authorization | bhesignature {API ID} |
RequestDate | Current UTC timestamp, formatted yyyy-MM-dd'T'HH:mm:ss'Z' |
Signature | Base64-encoded HMAC-SHA256 digest chain (see below) |
Signature computation
The signature is computed as a three-stage HMAC-SHA256 chain, each stage using the output of the previous stage as the key:
digest1 = HMAC-SHA256(key = apiKey, data = HTTPMethod + URIPath)— whereURIPathincludes the raw query string when present.digest2 = HMAC-SHA256(key = digest1, data = RequestDate[0..13])— the first 13 characters of the request timestamp (date + hour).signature = Base64(HMAC-SHA256(key = digest2, data = <empty body>)).
Connection test
| Method | URL |
|---|---|
| GET | {API URL}/api/version |
A successful (2xx) response to the version endpoint confirms that the API ID and API Key are valid. The same signed headers are attached to every subsequent data request.
How to obtain BloodHound Enterprise credentials
Obtain the required credentials (API URL, API ID, API Key) from your BloodHound Enterprise administrator or the BloodHound Enterprise admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Finding
| Source Field Name | SDM Attribute |
|---|---|
derived from FindingResource.accepted_until | ACCEPTED |
derived from FindingResource.deleted_at | STATUS |
derived from FindingResource.deleted_at | PROVIDER_STATUS |
derived from FindingResource.deleted_at | SOURCE_STATUS |
FindingResource.accepted_until | ACCEPTED_UNTIL |
FindingResource.created_at | SOURCE_CREATED_DATE |
FindingResource.deleted_at.Time | DELETED_AT |
FindingResource.finding_name | TYPE |
FindingResource.id | UID |
FindingResource.id | NAME |
FindingResource.source_kind | RELATED_FROM_KIND |
FindingResource.source_properties.distinguishedname | RELATED_FROM_DISTINGUISHED_NAME |
FindingResource.source_properties.lastseen | RELATED_FROM_LAST_SEEN |
FindingResource.source_properties.name | RELATED_FROM_NAME |
FindingResource.sourceid | RELATED_FROM |
FindingResource.target_id | RELATED_TO |
FindingResource.target_kind | RELATED_TO_KIND |
FindingResource.target_properties.distinguishedname | RELATED_TO_DISTINGUISHED_NAME |
FindingResource.target_properties.lastseen | RELATED_TO_LAST_SEEN |
FindingResource.target_properties.name | RELATED_TO_NAME |
FindingResource.target_properties.objectid | TARGETS |
FindingResource.updated_at | SOURCE_LAST_MODIFIED |
Violation Definition
| Source Field Name | SDM Attribute |
|---|---|
FindingAssetResource.long_description.md (Base64-decoded) | DESCRIPTION |
FindingAssetResource.long_remediation.md (Base64-decoded) | REMEDIATION |
FindingAssetResource.name | UID |
FindingAssetResource.name | NAME |
FindingAssetResource.references.md (Base64-decoded) | REFERENCES |
FindingAssetResource.short_description.md (Base64-decoded) | SHORT_DESCRIPTION |
FindingAssetResource.short_remediation.md (Base64-decoded) | SHORT_REMEDIATION |
FindingAssetResource.type.md (Base64-decoded) | CATEGORIES |
Computer
| Source Field Name | SDM Attribute |
|---|---|
SourceTargetProperties.description | DESCRIPTION |
SourceTargetProperties.displayname | DISPLAY_NAME |
SourceTargetProperties.distinguishedname | DISTINGUISHED_NAME |
SourceTargetProperties.domain | DOMAIN |
SourceTargetProperties.domainsid | DOMAIN_SID |
SourceTargetProperties.enabled | ENABLED |
SourceTargetProperties.lastseen | LAST_SEEN |
SourceTargetProperties.name (falls back to objectid) | NAME |
SourceTargetProperties.objectid | UID |
SourceTargetProperties.operatingsystem | OPERATING_SYSTEM |
SourceTargetProperties.ownersid | OWNER_SID |
SourceTargetProperties.samaccountname | SAM_ACCOUNT_NAME |
SourceTargetProperties.serviceprincipalnames | SERVICE_PRINCIPAL_NAMES |
SourceTargetProperties.whencreated | SOURCE_CREATED_DATE |
| target kind | CATEGORIES |
User
| Source Field Name | SDM Attribute |
|---|---|
SourceTargetProperties.description | DESCRIPTION |
SourceTargetProperties.displayname | DISPLAY_NAME |
SourceTargetProperties.distinguishedname | DISTINGUISHED_NAME |
SourceTargetProperties.domain | DOMAIN |
SourceTargetProperties.domainsid | DOMAIN_SID |
SourceTargetProperties.email | |
SourceTargetProperties.enabled | ENABLED |
SourceTargetProperties.lastseen | LAST_SEEN |
SourceTargetProperties.name (falls back to objectid) | NAME |
SourceTargetProperties.objectid | UID |
SourceTargetProperties.ownersid | OWNER_SID |
SourceTargetProperties.samaccountname | SAM_ACCOUNT_NAME |
SourceTargetProperties.whencreated | SOURCE_CREATED_DATE |
| target kind | CATEGORIES |
Group
| Source Field Name | SDM Attribute |
|---|---|
SourceTargetProperties.description | DESCRIPTION |
SourceTargetProperties.distinguishedname | DISTINGUISHED_NAME |
SourceTargetProperties.domain | DOMAIN |
SourceTargetProperties.domainsid | DOMAIN_SID |
SourceTargetProperties.lastseen | LAST_SEEN |
SourceTargetProperties.name (falls back to objectid) | NAME |
SourceTargetProperties.objectid | UID |
SourceTargetProperties.ownersid | OWNER_SID |
SourceTargetProperties.samaccountname | SAM_ACCOUNT_NAME |
SourceTargetProperties.whencreated | SOURCE_CREATED_DATE |
| target kind | CATEGORIES |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Finding
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v2/attack-paths/details
Violation Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v2/attack-paths/details
Computer
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v2/attack-paths/details
User
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v2/attack-paths/details
Group
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v2/attack-paths/details
Changelog
The BloodHound Enterprise connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.1 | Overview The BloodHound Enterprise connector integrates with BloodHound Enterprise to synchronize Active Directory attack path findings along with the computers, users, and groups involved in those exposures. Category: Identity Management Models | N/A |