> ## Documentation Index
> Fetch the complete documentation index at: https://specterops-bp-2641-crowdstrike-integration.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Use Falcon for IT with BloodHound Enterprise

> Learn how to run the CrowdStrike Falcon for IT workflow, review telemetry, and verify ingestion in BloodHound Enterprise.

<img noZoom src="https://mintcdn.com/specterops-bp-2641-crowdstrike-integration/_rZ1zFkP5xLBuV5I/assets/enterprise-edition-pill-tag.svg?fit=max&auto=format&n=_rZ1zFkP5xLBuV5I&q=85&s=4a7cab6298d422be44331dd276b8e56d" alt="Applies to BloodHound Enterprise only" width="225" height="45" data-path="assets/enterprise-edition-pill-tag.svg" />

After you complete the [installation and configuration](/integrations/crowdstrike/falcon-for-it/configure), the CrowdStrike Foundry workflow can retrieve endpoint telemetry from Falcon Next-Gen SIEM, transform it to the BloodHound Enterprise schema, and upload it to your BloodHound Enterprise tenant.

This page shows you how to run the workflow, review the available dashboard views, and verify a successful upload.

The integration uses Foundry Functions and Falcon Fusion to automate BloodHound Enterprise data collection and ingestion.

| Workflow stage            | Description                                                                      |
| ------------------------- | -------------------------------------------------------------------------------- |
| **Fetch telemetry**       | Retrieves new endpoint telemetry from Falcon Next-Gen SIEM                       |
| **Transform data**        | Converts the collected data to the BloodHound Enterprise schema before upload    |
| **Track host coverage**   | Uses a Daily Status Table to track which hosts reported during the current cycle |
| **Retry incomplete work** | Reconciles incomplete collection runs to improve host coverage                   |

## Run the workflow manually

The workflow runs automatically on an hourly schedule, but you can also run it manually after installation and configuration to confirm that data reaches BloodHound Enterprise successfully.

<Steps>
  <Step title="Open the workflow list">
    1. Log in to CrowdStrike Falcon.

    2. Go to **Fusion SOAR** > **Workflows**.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2641-crowdstrike-integration/w6jLJbr28WfvxPh4/images/integrations/crowdstrike/falcon-for-it/workflows.png?fit=max&auto=format&n=w6jLJbr28WfvxPh4&q=85&s=af6107f26b03e3af6cc956a9fa46d2c5" alt="A screenshot of the workflow list interface" width="1917" height="881" data-path="images/integrations/crowdstrike/falcon-for-it/workflows.png" />
           </Frame>

    3. Locate the **BloodHound Enterprise NG SIEM Workflow**.
  </Step>

  <Step title="Execute the workflow">
    1. Open the workflow action menu and click **Execute Workflow**.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2641-crowdstrike-integration/w6jLJbr28WfvxPh4/images/integrations/crowdstrike/falcon-for-it/workflow-action-menu.png?fit=max&auto=format&n=w6jLJbr28WfvxPh4&q=85&s=4d3be40899bd2d5c23a4fefbb71dee97" alt="A screenshot of the workflow action menu" width="1817" height="488" data-path="images/integrations/crowdstrike/falcon-for-it/workflow-action-menu.png" />
           </Frame>

    2. In the confirmation dialog, click **Execute now**.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2641-crowdstrike-integration/w6jLJbr28WfvxPh4/images/integrations/crowdstrike/falcon-for-it/execute-now.png?fit=max&auto=format&n=w6jLJbr28WfvxPh4&q=85&s=b6bdbbb5fa4cab3d94d574e0eccfcd24" alt="A screenshot of the execute workflow confirmation dialog" width="832" height="732" data-path="images/integrations/crowdstrike/falcon-for-it/execute-now.png" />
           </Frame>
  </Step>

  <Step title="Open the execution results">
    1. When CrowdStrike displays the workflow execution notification, click **View**.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2641-crowdstrike-integration/w6jLJbr28WfvxPh4/images/integrations/crowdstrike/falcon-for-it/view-workflow-run.png?fit=max&auto=format&n=w6jLJbr28WfvxPh4&q=85&s=b860203d839b01f334e5e798199f4342" alt="A screenshot of the view execution results interface" width="1912" height="400" data-path="images/integrations/crowdstrike/falcon-for-it/view-workflow-run.png" />
           </Frame>

    2. Review the real-time execution results for the run.

           <Note>
             Record the reported job ID. You can use it to verify data ingestion in BloodHound Enterprise.
           </Note>
  </Step>
</Steps>

## Review the dashboard

The CrowdStrike dashboard provides visibility into the data that the integration collects and uploads to BloodHound Enterprise.

To navigate to the dashboard in CrowdStrike Falcon, go to **Next-Gen SIEM** > **Dashboard**.

The dashboard displays the following visualizations to monitor host activity and data ingestion:

| Visualization                                  | Description                                                                                                               |
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
| **Event Count - Data Types**                   | Displays a single-value metric highlighting the volume of specific BloodHound data types filtered by recent detection IDs |
| **Top Active Hosts**                           | Displays a bar chart of the top five hostnames that generated the most OS query events during the selected time range     |
| **Active Interactive Logon Sessions Tracking** | Displays a pie chart of interactive user logon sessions grouped by hostname and logon domain                              |
| **Job Execution Audit Trail**                  | Displays a table of upload events, including job IDs, processed event counts, and upload status                           |

<Tip>
  The dashboard includes a global time filter that lets you adjust the reporting range across all visualizations.
</Tip>

## Verify upload events

The application writes an audit event to Falcon Next-Gen SIEM after it uploads data successfully to BloodHound Enterprise.

After the workflow completes successfully, confirm the upload in both Falcon Next-Gen SIEM and BloodHound Enterprise.

<Steps>
  <Step title="Open Event Search">
    1. Log in to CrowdStrike Falcon.

    2. Go to **Next-Gen SIEM** > **Log management** > **Event Search**.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2641-crowdstrike-integration/w6jLJbr28WfvxPh4/images/integrations/crowdstrike/falcon-for-it/verify-telemetry.png?fit=max&auto=format&n=w6jLJbr28WfvxPh4&q=85&s=d83e9686384187e5fdaa0b71c5ddce38" alt="A screenshot of the event search interface in Falcon Next-Gen SIEM" width="1917" height="851" data-path="images/integrations/crowdstrike/falcon-for-it/verify-telemetry.png" />
           </Frame>
  </Step>

  <Step title="Filter for upload audit events">
    Apply a custom filter with the following values:

    | Field        | Value                                         |
    | ------------ | --------------------------------------------- |
    | **Field**    | `event_type`                                  |
    | **Operator** | `is equal to`                                 |
    | **Value**    | `bloodhound_enterprise_data_collector_upload` |
  </Step>

  <Step title="Confirm the upload details">
    1. Confirm that a matching event appears for the workflow run.

    2. Review the event details for the job ID, computer count, Next-Gen SIEM event counts, and checkpoint details.

    3. Record the job ID to verify data ingestion in BloodHound Enterprise.

           <Frame>
             <img src="https://mintcdn.com/specterops-bp-2641-crowdstrike-integration/w6jLJbr28WfvxPh4/images/integrations/crowdstrike/falcon-for-it/event-logs-upload.png?fit=max&auto=format&n=w6jLJbr28WfvxPh4&q=85&s=5162c0e3e371736481a0a8dca10b8604" alt="A screenshot of the filter interface for upload audit events" width="1915" height="907" data-path="images/integrations/crowdstrike/falcon-for-it/event-logs-upload.png" />
           </Frame>
  </Step>

  <Step title="Open the BloodHound Enterprise tenant">
    1. Log in to your BloodHound Enterprise tenant.

    2. Go to **Administration** > **Data Collection** > **File Ingest**.
  </Step>

  <Step title="Confirm the matching ingestion job">
    Locate the latest ingestion entry and verify it against the job ID from the Falcon Next-Gen SIEM audit event.

    * Confirm that the upload start time matches the workflow execution time.
    * Confirm that the status of the job is **Complete**.

    <Frame>
      <img src="https://mintcdn.com/specterops-bp-2641-crowdstrike-integration/w6jLJbr28WfvxPh4/images/integrations/crowdstrike/falcon-for-it/file-ingest.png?fit=max&auto=format&n=w6jLJbr28WfvxPh4&q=85&s=982404b1764b3f84798c8d1ece19d21d" alt="A screenshot of the file ingestion management dashboard" width="1872" height="912" data-path="images/integrations/crowdstrike/falcon-for-it/file-ingest.png" />
    </Frame>
  </Step>
</Steps>
