What Changed
All six BloodHound Enterprise workbooks were updated to replace implicit time-context inheritance (via the deprecated timeContextFromParameter reference) with an explicit 30-day sliding window on every parameter query:
- BloodHoundEnterpriseAttackPathDetails
- BloodHoundEnterpriseAttackPathOverview
- BloodHoundEnterpriseAuditLogs
- BloodHoundEnterpriseTierZeroSearch
- BloodHoundFindingTrends
- BloodHoundPostureHistory
The change sets durationMs: 2592000000 (30 days) on each parameter query block and removes the now-redundant timeContextFromParameter and hardcoded key fields. Fallback resourceIds arrays are also cleared.
Security Impact
Operators using BloodHound Enterprise workbooks in Microsoft Sentinel were receiving empty or erroring parameter dropdowns due to the absence of a resolved time context. This meant attack path filter dropdowns (by tier, finding type, asset, etc.) were non-functional – analysts could not scope workbook views to specific assets or finding categories. The fix restores full workbook interactivity for Active Directory attack path analysis and Tier Zero asset monitoring.
No detection logic, KQL queries, or entity mappings were changed – this is a workbook rendering fix only.
Affected Files
Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAttackPathDetails.json
Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAttackPathOverview.json
Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseAuditLogs.json
Solutions/BloodHound Enterprise/Workbooks/BloodHoundEnterpriseTierZeroSearch.json
Solutions/BloodHound Enterprise/Workbooks/BloodHoundFindingTrends.json
Solutions/BloodHound Enterprise/Workbooks/BloodHoundPostureHistory.json
(packaging artefacts: 3.2.2.zip, ReleaseNotes.md, mainTemplate.json)