What Changed

The BloodHound Enterprise connector received a comprehensive update addressing three categories of issues: deployment reliability, data collection schema validation failures, and ingestion mechanism improvements.

Security Impact (Visibility & Fidelity)

Data fidelity gaps closed: Multiple custom tables (BHEAttackPathsTimelineData_CL, BHEAuditLogsData_CL, BHETierZeroAssetsData_CL) were missing required TimeGenerated fields — KQL queries referencing these fields returned null for all rows until this fix. The BHEPostureHistoryData_CL table schema was replaced to eliminate validation errors that prevented data ingestion entirely.

Deployment reliability restored: The Function App deployment was pulling from an unstable fork repository (metron-labs/Azure-Sentinel) instead of the official Microsoft repository. Deployments using the previous configuration experienced inconsistent availability and potential version drift from the validated solution package.

Connector Enhancement Details

  • Ingestion mechanism: Upgraded from basic REST API polling to Azure Functions-based data collection with dedicated DCR/DCE configuration for six data streams: attack paths, timeline data, audit logs, finding trends, posture history, and Tier Zero assets
  • API connectivity: Enhanced documentation for BloodHound Enterprise API credential setup with clearer token ID/key instructions and Microsoft Entra application requirements
  • Metric queries: Refined graph queries to provide more accurate attack path trend visualization and connectivity validation across all data types

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/BHEAttackPathsTimelineData_CL.json
.script/tests/KqlvalidationsTests/CustomTables/BHEAuditLogsData_CL.json
.script/tests/KqlvalidationsTests/CustomTables/BHEPostureHistoryData_CL.json
.script/tests/KqlvalidationsTests/CustomTables/BHEPostureHistory_CL .json
.script/tests/KqlvalidationsTests/CustomTables/BHETierZeroAssetsData_CL.json
Solutions/BloodHound Enterprise/Data Connectors/BloodHoundFunction.json
Solutions/BloodHound Enterprise/Data Connectors/azuredeploy_BloodHoundEnterprise_FunctionApp.json
(packaging artefacts: 3.2.2.zip, mainTemplate.json)