⚠️ BloodHound Enterprise

⚠️ Unpublished: This item is from a solution that is not yet published on Azure Marketplace or not installed in Content Hub.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Solutions Index

Attribute	Value
Publisher	SpecterOps
Support Tier	Partner
Support Link	https://bloodhoundenterprise.io/
Categories	Security - Network
Version	3.2.2
Author	SpecterOps - support@specterops.io
First Published	2023-05-04
Last Updated	2021-05-04
Solution Folder	BloodHound Enterprise

The BloodHound Enterprise Microsoft Sentinel solution ingests your BloodHound Enterprise posture and attack paths into Microsoft Sentinel. Use the dashboards to track the Active Directory and Azure attack paths of your environment. Create alerts to detect when new attack paths emerge or new the exposure increases.

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

BloodHound Enterprise Data Connector (using Azure Functions)

Tables Used

This solution uses 6 table(s):

Table	Used By Connectors	Used By Content
`BHEAttackPathsData_CL`	BloodHound Enterprise Data Connector (using Azure Functions)	Analytics, Workbooks
`BHEAttackPathsTimelineData_CL`	BloodHound Enterprise Data Connector (using Azure Functions)	Workbooks
`BHEAuditLogsData_CL`	BloodHound Enterprise Data Connector (using Azure Functions)	Workbooks
`BHEFindingTrendsData_CL`	BloodHound Enterprise Data Connector (using Azure Functions)	Workbooks
`BHEPostureHistoryData_CL`	BloodHound Enterprise Data Connector (using Azure Functions)	Workbooks
`BHETierZeroAssetsData_CL`	BloodHound Enterprise Data Connector (using Azure Functions)	Workbooks

Content Items

This solution includes 108 content item(s):

Content Type	Count
Analytic Rules	102
Workbooks	6

Analytic Rules

Name	Severity	Tactics	Tables Used
BloodHound Attack Path Finding - AKS Contributor Role on Tier Zero Managed Cluster	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - AS-REP Roastable User Accounts	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Add Key Credential Link Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Add Member Privileges on Tier Zero Security Groups	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Add Members to Tier Zero Group	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Add Owner to Tier Zero Object via MS Graph App Role	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Add Resource-Based Constrained Delegation Privileges on Tier Zero Computers	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Add Secret to Tier Zero Principal	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - AddOwner Role on Tier Zero Resource	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - AddSelf Privilege on Tier Zero Security Groups	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Admins on Tier Zero Computers	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - AllExtended Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - App Admin Control of Tier Zero Principal	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Avere Contributor Role on Tier Zero Virtual Machine	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Cloud App Admin Over Tier Zero Principal	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Command Execution on Tier Zero Virtual Machine	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Computers Vulnerable to Coercion-Based NTLM Relay to SMB Attack	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Constrained Delegation on Tier Zero Computers	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Contributor Role on Tier Zero Automation Account	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Contributor Role on Tier Zero Resource	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - DCOM Users on Tier Zero Computers	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - ForceChangePassword Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - GenericAll Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - GenericWrite Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Get Certifcates on Tier Zero Key Vault	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Get Keys on Tier Zero Key Vault	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Get Secrets on Tier Zero Key Vault	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Kerberoastable User Accounts	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Kerberos Delegation on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Key Vault Contributor Role on Tier Zero Resource	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Group With SyncLapsPassword Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With Add Key Credential Link Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With Add Member Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With Add Self Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With All Extended Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With ForceChangePassword Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With GenericAll Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With GenericWrite Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With Limited Ownership Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With Ownership Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With RDP Access	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With Read GMSA Password Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With Read LAPS Password Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With Resource-Based Constrained Delegation Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With WriteAccountRestrictions Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With WriteDacl Privilege	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With WriteGpLink Privilege	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With WriteOwner Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With WriteOwnerLimitedRights Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups With WriteServicePrincipalName Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups in DCOM Users Groups	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups in Local Administrator Groups	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups in PS Remote Users Groups	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Large Default Groups in SQL Admins Groups	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Legacy SID History on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Limited Ownership Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Logic App Contributor Role on Tier Zero Logic App	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Logons From Tier Zero Users	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC1 Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC10 Scenario A Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC13 Privileges Against Tier Zero Group	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non Tier Zero Resource Assigned to Tier Zero Service Principal	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero AD User Synced to Tier Zero Entra User	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Computer Hosting EnterpriseCA Trusted for NT Authentication	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Entra User Synced to Tier Zero AD User	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero App Roles	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero Entra ID Role	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Principal Trusted for Unconstrained Delegation	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC10 Scenario B Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC3 Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC4 Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario A Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario B Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario A Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario B Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Non-Tier Zero Principals With DCSync Privileges	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Owner Role on Tier Zero Resource	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Ownership Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Ownership of Tier Zero Principal	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - PS Remote Users on Tier Zero Computers	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - RDP Users on Tier Zero Computers	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Read GMSA Password Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - ReadLapsPassword Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Reset a Tier Zero User's Password	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - SQL Admin Users on Tier Zero Computers	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - SyncLapsPassword Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to ADCS (ESC8) Attack	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAP Attack	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAPS Attack	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Tier Zero Group Control via MS Graph App Role	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Tier Zero SMSA Installed on Non-Tier Zero Computer	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Tier Zero Service Principal Control via MS Graph App Role	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - User Access Admin Role on Tier Zero Resource	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - VM Admin Login Role on Tier Zero System	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - VM Contributor Role on Tier Zero System	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Website Contributor Role on Tier Zero Resource	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - Write Account Restrictions Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - WriteDacl Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - WriteGpLink Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - WriteOwner Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - WriteOwnerLimitedRights Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`
BloodHound Attack Path Finding - WriteServicePrincipalName Privileges on Tier Zero Objects	Medium	-	`BHEAttackPathsData_CL`

Workbooks

Name	Tables Used
BloodHoundEnterpriseAttackPathDetails	`BHEAttackPathsData_CL` `BHEAttackPathsTimelineData_CL`
BloodHoundEnterpriseAttackPathOverview	`BHEAttackPathsData_CL`
BloodHoundEnterpriseAuditLogs	`BHEAuditLogsData_CL`
BloodHoundEnterpriseTierZeroSearch	`BHETierZeroAssetsData_CL`
BloodHoundFindingTrends	`BHEFindingTrendsData_CL`
BloodHoundPostureHistory	`BHEPostureHistoryData_CL`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.2.2	20-05-2026	Updated Data Connector documentation, API credential instructions, and metric queries; updated Azure deployment URL, solution/connector IDs, and custom table definitions. Updated BloodHound Enterprise solution logo (`BHE_Logo.svg`) to align with current branding.
3.2.1	13-01-2026	Updated WEBSITE_RUN_FROM_PACKAGE to use Microsoft-managed aka.ms URL
3.2.0	15-09-2025	Added two extra Workbooks (Finding Trends & Posture History). Upgraded Data Connector to Azure Function.
3.1.2	25-02-2025	Bump version for portal deployment
3.1.1	01-02-2025	Fixed compilation error in golang Data Connector function app. Removed non-working function app installation hint, the workspace name.
	17-12-2024	Updated Workbooks - principals now shown properly, percentages calculated correctly, Data Connector function app mapping to custom table fixed
3.1.0	17-11-2024	Updated Solution: table schema updated, new Workbooks, new golang Data Connector function app uses bloodhound-golang-sdk
3.0.0	20-07-2023	Initial Solution Release