Data reconciliation
BloodHound Enterprise (BHE) will perform data reconciliation. That is, BHE will automatically update changes identified during subsequent data collections, such as the removal of group membership, role assignments, access control list changes, etc.
HasSession edge reconciliation
HasSession edges are generated to indicate patterns of behavior rather than session active at any exact moment. For this reason, HasSession edges are only reconciled based on their retention/time-to-live expiring, rather than reconciling upon follow-on collections no longer seeing the active session.
Data retention
BloodHound Enterprise (BHE) implements data retention, i.e., a time-to-live where data that has not been collected and ingested for a certain period will get deleted from BHE. This retention period is configurable and is by default:
- Session Data, i.e. HasSession edges: 3 days
- General Data, i.e. objects/nodes and relationships/edges, excluding HasSession edges: 7 days
Tier Zero tags on deleted nodes will remain, and the Group Management page will show the deleted node as an object ID.
Data retention periods can be changed at ⚙️ > Administration > BloodHound Configuration:
Retention means BHE does not assume that lack of visibility during a single collection means that an object or edge no longer exists; it’s possible that the most recent collection, for example, if BHE doesn't see a user object for some reason (operational issue, collection scoped to another domain, etc.).
On objects, this timestamp is updated for both visibility of the object itself and visibility to references of the object. For example, if an object is deleted, but the SID remains present in an ACE applied to some other remaining object, this timestamp will be updated, and the object will appear present in BHE.
To implement this, BHE stores a timestamp on every data point, updated whenever a new collection includes the same data point. The timestamp on nodes can be seen as the “Last Collected by BloodHound” attribute in every node’s entity panel on the “Explore” page.
In cases where retention maintains visibility into an already resolved finding, the “Mute” feature may be used to hide nodes/principals in the “Attack Paths” page, see Mute/unmute attack path finding.
Active Directory recycle bin
BHE's data retention period starts once an object has been permanently deleted from Active Directory, that is, after the object has left retention in the AD recycle bin. By default, the AD recycle bin has a retention (tombstone lifetime) of 180 days; thus, the default total retention for nodes will be 180 days + 7 days = 187 days.
Check if the AD recycle bin has been enabled for the forest:
# Returns 'True' if the AD recycle bin has been enabled
[bool](Get-ADOptionalFeature -Identity 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a | select -ExpandProperty EnabledScopes)
Check the AD recycle bin's retention period (tombstone lifetime):
# Returns the number of days the AD recycle bin retains deleted objects (tombstone lifetime)
$ForestConfigurationNC = (Get-ADRootDSE).configurationNamingContext
Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,$ForestConfigurationNC" -Partition $ForestConfigurationNC -Properties tombstoneLifetime | select tombstoneLifetime
Updated