Data reconciliation and retention

This article applies to BHE

Data reconciliation

BloodHound Enterprise (BHE) will perform data reconciliation; that is, BHE will automatically update changes identified during subsequent data collections, such as removal of group membership, role assignments, access control list changes, etc.

HasSession edge reconciliation

HasSession edges are generated to indicate patterns of behavior rather than session active at any exact moment. For this reason, HasSession edges are only reconciled based on their retention/time-to-live expiring, rather than reconciling upon follow-on collections no longer seeing the active session.

Data retention

BHE also implements data retention, i.e., a time-to-live. This retention period is as follows:

  • All objects and edges, excluding HasSession edges: 30 days
  • All HasSession edges: 7 days

Retention means BHE does not assume that lack of visibility single collection means that an object or edge no longer exists; it’s possible that the most recent collection, for example, if BHE doesn't see a user object for some reason (operational issue, collection scoped to another domain, etc.).

On objects, this timestamp is updated for both visibility of the object itself, as well as visibility to references of the object. For example, if an object is deleted, but the SID remains present in an ACE applied to some other remaining object, this timestamp will be updated, and the object will appear present in BHE.

To implement this, BHE stores a timestamp on every data point, updated whenever a new collection includes the same data point. The timestamp on nodes can be seen as the “Last Collected by BloodHound” attribute in every node’s entity panel on the “Explore” page.

In cases where retention maintains visibility into an already resolved finding, the “Mute” feature may be used to hide nodes/principals in the “Attack Paths” page, see Mute/unmute attack path finding.

Updated