Skip to main content
Applies to BloodHound Enterprise only After you complete the installation and configuration, the CrowdStrike Foundry workflow can retrieve endpoint telemetry from Falcon Next-Gen SIEM, transform it to the BloodHound Enterprise schema, and upload it to your BloodHound Enterprise tenant. This page shows you how to run the workflow, review the available dashboard views, and verify a successful upload. The integration uses Foundry Functions and Falcon Fusion to automate BloodHound Enterprise data collection and ingestion.
Workflow stageDescription
Fetch telemetryRetrieves new endpoint telemetry from Falcon Next-Gen SIEM
Transform dataConverts the collected data to the BloodHound Enterprise schema before upload
Track host coverageUses a Daily Status Table to track which hosts reported during the current cycle
Retry incomplete workReconciles incomplete collection runs to improve host coverage

Run the workflow manually

The workflow runs automatically on an hourly schedule, but you can also run it manually after installation and configuration to confirm that data reaches BloodHound Enterprise successfully.
1

Open the workflow list

  1. Log in to CrowdStrike Falcon.
  2. Go to Fusion SOAR > Workflows.
    A screenshot of the workflow list interface
  3. Locate the BloodHound Enterprise NG SIEM Workflow.
2

Execute the workflow

  1. Open the workflow action menu and click Execute Workflow.
    A screenshot of the workflow action menu
  2. In the confirmation dialog, click Execute now.
    A screenshot of the execute workflow confirmation dialog
3

Open the execution results

  1. When CrowdStrike displays the workflow execution notification, click View.
    A screenshot of the view execution results interface
  2. Review the real-time execution results for the run.
    Record the reported job ID. You can use it to verify data ingestion in BloodHound Enterprise.

Review the dashboard

The CrowdStrike dashboard provides visibility into the data that the integration collects and uploads to BloodHound Enterprise. To navigate to the dashboard in CrowdStrike Falcon, go to Next-Gen SIEM > Dashboard. The dashboard displays the following visualizations to monitor host activity and data ingestion:
VisualizationDescription
Event Count - Data TypesDisplays a single-value metric highlighting the volume of specific BloodHound data types filtered by recent detection IDs
Top Active HostsDisplays a bar chart of the top five hostnames that generated the most OS query events during the selected time range
Active Interactive Logon Sessions TrackingDisplays a pie chart of interactive user logon sessions grouped by hostname and logon domain
Job Execution Audit TrailDisplays a table of upload events, including job IDs, processed event counts, and upload status
The dashboard includes a global time filter that lets you adjust the reporting range across all visualizations.

Verify upload events

The application writes an audit event to Falcon Next-Gen SIEM after it uploads data successfully to BloodHound Enterprise. After the workflow completes successfully, confirm the upload in both Falcon Next-Gen SIEM and BloodHound Enterprise.
1

Open Event Search

  1. Log in to CrowdStrike Falcon.
  2. Go to Next-Gen SIEM > Log management > Event Search.
    A screenshot of the event search interface in Falcon Next-Gen SIEM
2

Filter for upload audit events

Apply a custom filter with the following values:
FieldValue
Fieldevent_type
Operatoris equal to
Valuebloodhound_enterprise_data_collector_upload
3

Confirm the upload details

  1. Confirm that a matching event appears for the workflow run.
  2. Review the event details for the job ID, computer count, Next-Gen SIEM event counts, and checkpoint details.
  3. Record the job ID to verify data ingestion in BloodHound Enterprise.
    A screenshot of the filter interface for upload audit events
4

Open the BloodHound Enterprise tenant

  1. Log in to your BloodHound Enterprise tenant.
  2. Go to Administration > Data Collection > File Ingest.
5

Confirm the matching ingestion job

Locate the latest ingestion entry and verify it against the job ID from the Falcon Next-Gen SIEM audit event.
  • Confirm that the upload start time matches the workflow execution time.
  • Confirm that the status of the job is Complete.
A screenshot of the file ingestion management dashboard