BloodHound JSON Formats

This article applies to BHCE and BHE

BloodHound requires collected data to be in in a specific JSON format, which is documented in this article.

The collectors for BloodHound Enterprise (BHE) and BloodHound Community Edition (BHCE) will format the collected data correctly. Enterprise collectors run continuously and automatically upload the data to the API endpoint `/ingest`, whereas Community Edition collectors drop the JSON data to disk which then has to be uploaded manually to BloodHound via ⚙️ → Administration → File Ingest, or to the API endpoint `/file-upload`.

Users of BloodHound Enterprise can also manually upload JSON data collected from Community Edition collectors.

Users of both BHE and BHCE may also create their own JSON files and upload them to BloodHound.

Basic JSON Format

The JSON format contains two main objects:

  • data
    • An array of collected objects. One JSON file contains only one type of object, for example computers.
  • meta
    • An object containing meta-information about the collection and the `data` array.
      • methods is a bitmask of the collection method used. This is used for the BloodHound ingestor to know what data to expect. Possible values can be found in models.go as `CollectionMethods`.
      • type describes the type of objects in the data array. One JSON file can only contain one object type. Possible values can be found in models.go as `DataType`.
      • count is an integer representing the number of objects in the `data` object array.
      • version is an integer representing the version of the JSON format.
{
"data": [
{
[...]
}
],
"meta": {
"methods": 127999,
"type": "users",
"count": 1,
"version": 5
}
}

Detailed JSON Format

JSON data of each node type will vary greatly. Examples of detailed JSON formats for some node types can be found in the latest version directory in the BHCE's repository.

Updated