Integrate BloodHound Enterprise with Splunk

This article applies to BHE

The BloodHound Enterprise Splunk app ingests your BloodHound Enterprise data into Splunk.

  • Use the dashboards to track the Active Directory and Azure attack paths of your environment
  • Create alerts to detect when new attack paths emerge or exposure increases
  • Enrich your SIEM data with information about the attack paths to and from principals

Note: Version 2.0+ introduces ingest of BHE Audit Log data. To successfully ingest this data the BHE API user must be assigned the 'Administrator' role in BHE. 

Installation

  1. Log into your Splunk installation and click on the Find More Apps button.
    mceclip0.png
  2. Search for "BloodHound Enterprise" and hit Enter. The first result should be the app.
    mceclip1.png
  3. Click Install. If not already logged in, you will be prompted for your Splunk.com username and password.
    mceclip2.png
  4. After installation completes, click Open the App.
    mceclip3.png
  5. The App will prompt you to configure itself. Click Continue to the app setup page.
    mceclip4.png
  6. If you have not already, create an API key/ID pair following the instructions here.
  7. In the setup screen, enter your domain name (CODENAME.bloodhoundenterprise.io), Token ID, and Token Key that you wish for the Splunk app to utilize and click Submit.

    Do take note of the warning at the bottom of this screen – the initial collection can take some time, particularly for longer-term BloodHound Enterprise customers.
    mceclip0.png

Create Index (Splunk cloud only)

The index "bhe-splunk-app" will be created automatically if running Splunk on-prem.

  1. In Splunk Web, go to Settings > Indexes.
  2. On the Indexes page, click New Index.
  3. On the New Index page, in the Index Name field, enter "bhe-splunk-app".
  4. Click Save.

Enable Data Input 

  1. In Splunk Web, go to Settings > Data inputs.
    mceclip6.png
  2. Scroll down, locate, and click on BloodHound Enterprise.
    mceclip7.png
  3. Click Enable to enable the data input.
    mceclip8.png
  4. Data will now begin flowing into the environment. You can monitor this progress through Splunk itself with the following query:
    index=_internal source="*splunkd.log" "BHE "

Updated