Documentation Index Fetch the complete documentation index at: https://specterops-enable-tls-feedback.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
This document provides technical design details and API reference information for the BloodHound Enterprise integration with Cortex XSOAR. For configuration instructions, see Configure the integration .
Integration type The SpecterOps BloodHound Enterprise integration is a vulnerability management integration that enables automated retrieval of attack path findings from BloodHound Enterprise into Cortex XSOAR. This streamlines incident creation and investigation for Active Directory and Microsoft Azure environments.
Use cases
Automated attack path detection and incident creation
Automatically fetch new attack paths from BloodHound Enterprise
Create incidents in XSOAR for each detected attack path
Filter incidents by domain and finding type
Track attack paths with granular timestamp-based deduplication
Asset information retrieval
Path analysis and investigation
Check if attack paths exist between two principals in the environment
Search for objects by name to retrieve their object IDs
Analyze relationships between principals and assets
Multi-domain and multi-finding type support
Support for multiple Active Directory domains
Filter by specific domains or finding types
Track attack paths per domain and finding type combination
Authentication The integration uses HMAC-based signature authentication with the following process:
Generate HMAC signature using SHA-256 with the token key
Include token ID, request date, and signature in request headers
Format: Authorization: bhesignature {token_id}
Include RequestDate header in ISO format
Include Signature header as base64-encoded HMAC digest
Configuration parameters Parameter Display Name Type Required Description urlServer URL String Yes The BloodHound Enterprise server URL (e.g., bhe.example.com or https://bhe.example.com) token_idToken ID String Yes The API token ID for authentication token_keyToken Key Password Yes The API token key for HMAC signature authentication finding_domainSelected Environments String No Comma-separated list of domain names to monitor, or “all” for all domains. Default: “all” finding_categorySelected Finding Types String No Comma-separated list of finding types to monitor, or “all” for all types. Default: “all” incidentFetchIntervalIncident Fetch Interval (minutes) Number No The interval in minutes between incident fetches. Default: 10 minutes isFetchFetch incidents Boolean No Enable automatic incident fetching. Default: false proxy_urlCustom Proxy URL String No Custom proxy server URL (optional) proxy_usernameProxy Username String No Username for proxy authentication (if required) proxy_passwordProxy Password Password No Password for proxy authentication (if required) insecureTrust any certificate (not secure) Boolean No Skip SSL certificate verification. Default: false proxyUse system proxy settings Boolean No Use system proxy settings. Default: false
Commands and outputs test-module Tests the connection to the BloodHound Enterprise API.
Arguments : NoneContext outputs : NoneHuman-readable output :
Success: “ok”
Failure: Error message indicating the specific failure reason (Unauthorized, Bad Request, Forbidden, Server Error, DNS resolution error, etc.)
bhe-get-object-id Retrieves object IDs for one or more objects by their names.
Arguments :Argument Type Description Required object_namesString Comma-separated list of object names to search for Yes
Context outputs :Path Type Description SpecterOpsBHE.Object.NameString The object name that was searched SpecterOpsBHE.Object.StatusString Status of the search (“success” or “error”) SpecterOpsBHE.Object.MessageString Status message SpecterOpsBHE.Object.DataArray Array of matching objects with id, name, and type
Human-readable output :Object ID Search Results
Object Name Status Object ID Type user@example.comsuccess S-1-5-21-… User COMPUTER01success S-1-5-21-… Computer
bhe-fetch-asset-info Retrieves detailed information about one or more assets by their object IDs.
Arguments :Argument Type Description Required object_idsString Comma-separated list of object IDs to fetch information for Yes
Context outputs :Path Type Description SpecterOpsBHE.Asset.ObjectIdString The object ID SpecterOpsBHE.Asset.NameString Asset name SpecterOpsBHE.Asset.TypeString Asset type (User, Computer, AZUser, AZApp, etc.) SpecterOpsBHE.Asset.StatusString Status of the fetch operation SpecterOpsBHE.Asset.DataObject Complete asset data including properties and related entity counts
Human-readable output :Asset Information
Object ID Name Type Status S-1-5-21-… user@example.comUser success
For Azure objects, the response includes additional related entity counts such as group membership counts, role assignments, inbound/outbound control counts, and abusable app role assignments (for service principals).
bhe-does-path-exist Checks if an attack path exists between two principals in the BloodHound Enterprise graph.
Arguments :Argument Type Description Required FromPrincipalString Object ID of the source principal Yes ToPrincipalString Object ID of the target principal Yes
Context outputs :Path Type Description SpecterOpsBHE.Path.ExistsBoolean Whether a path exists between the principals SpecterOpsBHE.Path.FromPrincipalString Source principal object ID SpecterOpsBHE.Path.ToPrincipalString Target principal object ID SpecterOpsBHE.Path.StatusString Status of the path check operation
Human-readable output :Path Existence Check
From Principal To Principal Path Exists Status S-1-5-21-… S-1-5-21-… true success
fetch-incidents Fetches attack path findings from BloodHound Enterprise and creates incidents in XSOAR (automatically executed when isFetch is enabled).
Arguments : NoneContext outputs :Path Type Description SpecterOpsBHE.Incident.NameString Incident name (format: {INSTANCE} - {DOMAIN} - {PATH_TITLE}) SpecterOpsBHE.Incident.TypeString Incident type: “SpecterOpsBHE Attack Path” SpecterOpsBHE.Incident.SeverityNumber Severity level (1=Low, 2=Medium, 3=High, 4=Critical) SpecterOpsBHE.Incident.AttackIdString Unique attack path ID SpecterOpsBHE.Incident.DomainString Domain name where the attack path was detected SpecterOpsBHE.Incident.PathTitleString Human-readable title of the attack path SpecterOpsBHE.Incident.FindingTypeString Finding type identifier SpecterOpsBHE.Incident.ImpactPercentageNumber Impact percentage (0-100) SpecterOpsBHE.Incident.ImpactCountNumber Number of impacted principals SpecterOpsBHE.Incident.ExposurePercentageNumber Exposure percentage (0-100) SpecterOpsBHE.Incident.ExposureCountNumber Number of exposed principals SpecterOpsBHE.Incident.ImpactedPrincipalString Object ID of the impacted principal SpecterOpsBHE.Incident.ImpactedPrincipalNameString Name of the impacted principal SpecterOpsBHE.Incident.ImpactedPrincipalKindString Type of the impacted principal SpecterOpsBHE.Incident.ImpactedPrincipalObjectIdString Object ID of the impacted principal SpecterOpsBHE.Incident.NonTierZeroPrincipalString Object ID of the non-tier-zero principal (if applicable) SpecterOpsBHE.Incident.NonTierZeroPrincipalNameString Name of the non-tier-zero principal (if applicable) SpecterOpsBHE.Incident.ObjectIdsString Comma-separated list of object IDs involved SpecterOpsBHE.Incident.ObjectNamesString Comma-separated list of object names involved SpecterOpsBHE.Incident.ShortDescriptionString Short description of the attack path SpecterOpsBHE.Incident.ShortRemediationString Short remediation guidance SpecterOpsBHE.Incident.LongRemediationString Detailed remediation guidance SpecterOpsBHE.Incident.CreatedAtString Timestamp when the attack path was created SpecterOpsBHE.Incident.UpdatedAtString Timestamp when the attack path was last updated SpecterOpsBHE.Incident.AcceptedBoolean Whether the attack path has been accepted SpecterOpsBHE.Incident.AcceptedUntilString Date until which the attack path is accepted (if applicable)
Fetch logic :
Lock Mechanism : Uses integration context to prevent concurrent fetch operationsDomain Filtering : Fetches available domains and filters by finding_domain parameterFinding Type Collection : Collects available finding types for each domainFinding Type Filtering : Filters finding types by finding_category parameterPath Metadata Fetching : Retrieves titles, descriptions, and remediation guidance for each finding typeIncremental Fetching : Uses timestamp-based filtering to only fetch new attack paths since last runGranular Tracking : Tracks timestamps per {domain_name}:{finding_type} combination for precise deduplicationPagination : Handles pagination for large result sets (up to 1000 results per page)Incident Creation : Creates one incident per attack path with all relevant metadata
API endpoints The integration uses the following BloodHound Enterprise API v2 endpoints:
Endpoint Path Description available_domain/api/v2/available-domainsGet list of available domains search/api/v2/search?q={query}Search for objects by name dictionary_types/api/v2/{obj_type}s/{object_id}Get directory object details
Supported object types Active Directory types
User
Computer
Group
Container
Domain
GPO (Group Policy Object)
Aiaca
Rootca
Enterpriseca
Ntauthstore
Certtemplate
OU (Organizational Unit)
Azure types
AZApp (Azure Application)
AZGroup (Azure Group)
AZUser (Azure User)
AZRole (Azure Role)
AZTenant (Azure Tenant)
AZServicePrincipal (Azure Service Principal)
AZAutomationAccount (Azure Automation Account)
Error handling The integration implements comprehensive error handling with specific exception types:
Exception Type HTTP Status Description BloodHoundBadRequestException400 Invalid request parameters BloodHoundUnauthorizedException401 Authentication failure BloodHoundForbiddenException403 Insufficient permissions BloodHoundNotFoundException404 Resource not found BloodHoundRateLimitException429 Rate limit exceeded BloodHoundServerErrorException500+ Server errors
Retry logic
Automatic retry for rate limit (429) and server errors (500, 502, 503, 504)
Maximum of 3 retry attempts
Immediate retry without exponential backoff
Memory limitation handling
Gracefully handles memory limitation errors for large queries (especially for AZTenant)
Returns appropriate error messages when memory limits are encountered
Sets related entity counts to 0 when memory limitations occur
This document provides technical design details and API reference information for the BloodHound Enterprise integration with Cortex XSOAR. For configuration instructions, see Configure the integration.