| Workflow stage | Description |
|---|---|
| Fetch telemetry | Retrieves new endpoint telemetry from Falcon Next-Gen SIEM |
| Transform data | Converts the collected data to the BloodHound Enterprise schema before upload |
| Track host coverage | Uses a Daily Status Table to track which hosts reported during the current cycle |
| Retry incomplete work | Reconciles incomplete collection runs to improve host coverage |
Run the workflow manually
The workflow runs automatically on an hourly schedule, but you can also run it manually after installation and configuration to confirm that data reaches BloodHound Enterprise successfully.Open the workflow list
- Log in to CrowdStrike Falcon.
-
Go to Fusion SOAR > Workflows.

- Locate the BloodHound Enterprise NG SIEM Workflow.
Execute the workflow
-
Open the workflow action menu and click Execute Workflow.

-
In the confirmation dialog, click Execute now.

Review the dashboard
The CrowdStrike dashboard provides visibility into the data that the integration collects and uploads to BloodHound Enterprise. To navigate to the dashboard in CrowdStrike Falcon, go to Next-Gen SIEM > Dashboard. The dashboard displays the following visualizations to monitor host activity and data ingestion:| Visualization | Description |
|---|---|
| Event Count - Data Types | Displays a single-value metric highlighting the volume of specific BloodHound data types filtered by recent detection IDs |
| Top Active Hosts | Displays a bar chart of the top five hostnames that generated the most OS query events during the selected time range |
| Active Interactive Logon Sessions Tracking | Displays a pie chart of interactive user logon sessions grouped by hostname and logon domain |
| Job Execution Audit Trail | Displays a table of upload events, including job IDs, processed event counts, and upload status |
Verify upload events
The application writes an audit event to Falcon Next-Gen SIEM after it uploads data successfully to BloodHound Enterprise. After the workflow completes successfully, confirm the upload in both Falcon Next-Gen SIEM and BloodHound Enterprise.Open Event Search
- Log in to CrowdStrike Falcon.
-
Go to Next-Gen SIEM > Log management > Event Search.

Filter for upload audit events
Apply a custom filter with the following values:
| Field | Value |
|---|---|
| Field | event_type |
| Operator | is equal to |
| Value | bloodhound_enterprise_data_collector_upload |
Confirm the upload details
- Confirm that a matching event appears for the workflow run.
- Review the event details for the job ID, computer count, Next-Gen SIEM event counts, and checkpoint details.
-
Record the job ID to verify data ingestion in BloodHound Enterprise.

Open the BloodHound Enterprise tenant
- Log in to your BloodHound Enterprise tenant.
- Go to Administration > Data Collection > File Ingest.

