From 3abe25d91f34df8026f6ee20350d7fef2bf5aa27 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Tue, 30 Jun 2026 12:00:36 -0500 Subject: [PATCH 01/18] wip: initial draft of v9.4.0 release notes --- docs/docs.json | 3 +- docs/resources/release-notes/2026-07-07.mdx | 111 ++++++++++++++++++++ docs/resources/release-notes/summary.mdx | 33 ++++++ 3 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 docs/resources/release-notes/2026-07-07.mdx diff --git a/docs/docs.json b/docs/docs.json index d6b65104..15eda5dc 100644 --- a/docs/docs.json +++ b/docs/docs.json @@ -894,14 +894,15 @@ "group": "Release Notes", "pages": [ "resources/release-notes/summary", + "resources/release-notes/2026-07-07", "resources/release-notes/2026-06-17", - "resources/release-notes/2026-05-28", { "group": "Archive", "pages": [ { "group": "2026", "pages": [ + "resources/release-notes/2026-05-28", "resources/release-notes/2026-05-06", "resources/release-notes/2026-04-13", "resources/release-notes/2026-03-23", diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx new file mode 100644 index 00000000..3efa892a --- /dev/null +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -0,0 +1,111 @@ +--- +title: 2026-07-07 Release Notes +description: Learn about new features, enhancements, and fixed issues in BloodHound. +sidebarTitle: "2026-07-07" +--- + +| | | | | | +| --- | --- | --- | --- | --- | +| **Release** | **BloodHound** | **OpenHound** | **SharpHound** | **AzureHound** | +| 2026-07-07 | v9.4.0 | v0.2.10 | No release | No release | + + + Use the filters on the right side of this page to narrow down the updates by component. You can select multiple filters at the same time to refine your results. + + + + {/*BED-6155*/} + ## ADCS ESC14 Scenario A Coverage + + Analyze ADCS ESC14 Scenario A attack paths directly in BloodHound so you can identify certificate-mapping abuse paths that rely on `altSecurityIdentities`. + + This release adds graph coverage for [`WriteAltSecurityIdentities`](/resources/edges/write-alt-security-identities) and [`WritePublicInformation`](/resources/edges/write-public-information), helping you surface certificate-based privilege escalation paths that were previously harder to model and investigate. + + + + {/*BED-8518, BED-8519, BED-8588*/} + ## Auditor Access for File Ingest and SSO Configuration + + Let auditors review **File Ingest** activity and **SSO Configuration** details without granting edit permissions. + + Auditors can now access these administration views in a read-only state while actions such as uploading files or creating providers remain restricted to roles with write access. + + + + {/*BED-8777, BED-8747, BED-8746, BED-8744, BED-8693*/} + ## More Resilient OpenHound Operations + + Keep long-running OpenHound jobs alive, identify deployed client versions more easily, and troubleshoot failures with clearer logs. + + OpenHound now continues checking in during active collections to reduce unintended job timeouts, reports its installed version back to BloodHound for better client visibility, improves log readability, handles deferred pipeline failures more consistently, and continues collection more often when single-object errors occur. + + + + {/*BED-8608, BED-8609*/} + ## Graph ID Lookup APIs + + Retrieve specific nodes and relationships by their graph-assigned integer IDs when you need to automate graph lookups outside the UI. + + BloodHound now exposes [`GET /api/v2/nodes/{node_id}`](/reference/opengraph-experimental/get-node-by-graph-node-id) and [`GET /api/v2/relationships/{relationship_id}`](/reference/opengraph-experimental/get-relationship-by-graph-relationship-id) to simplify targeted integrations and investigation workflows. + + + + {/*BED-8303, BED-7739, BED-8520*/} + ## Privilege Zone Rule Authoring Improvements + + Build and validate Privilege Zone rules with less rework when you switch rule types or refine Cypher-based rules. + + BloodHound now preserves rule state when you switch between Cypher and Object ID rules, prompts you to rerun Cypher when the query changes, and prevents saving Cypher rules that have not produced valid results. + + + + {/*BED-7222, BED-7215, BED-7212, BED-8290*/} + ## Accessibility Improvements + + Navigate BloodHound with clearer focus states, more consistent semantic structure, and better screen-reader labeling across key workflows. + + This release improves accessible names and labels in administration forms, strengthens visible keyboard focus behavior, and refines headings and page structure to better support assistive technologies. + + + + ## Analysis and API + + - {/*BED-8136*/} Resolved an issue where [`GET /api/v2/datapipe/status`](/reference/datapipe/get-datapipe-status) did not reliably update `last_analysis_run_at` and did not expose the scheduled-analysis timestamps needed to track analysis cadence. + - {/*BED-5572*/} Resolved an issue where multi-forest environments that shared ADCS infrastructure could produce false-positive attack paths. + - {/*BED-4867*/} Resolved an issue where Azure descendant `related_entity_type` requests could respond too slowly in large tenants. + - {/*BED-7883*/} Resolved an issue where Cypher equality comparisons could fail for values that contained special characters. + + ## Explore, Posture, and Privilege Zones + + - {/*BED-8114*/} Resolved an issue where the **Attack Paths** and **Posture** pages could show inconsistent finding counts. + - {/*BED-8642*/} Resolved an issue where pathfinding involving OpenGraph data could fail unexpectedly. + - {/*BED-8310*/} Resolved an issue where the Privilege Zone object details panel failed to load OpenGraph node data for rule-matched objects. + - {/*BED-8390*/} Resolved an issue where parts of the **Posture** page used browser localization settings inconsistently. + + ## Administration, OpenGraph, and UI + + - {/*BED-8656*/} Resolved an issue where dragging a file into **Quick Upload** on the **OpenGraph Management** page could open the wrong upload dialog. + - {/*BED-8570*/} Resolved an issue where the OpenGraph extension deletion dialog only accepted one character at a time when confirming an extension name. + - {/*BED-7040*/} Resolved an issue where saved-query uploads did not use the same ingest file safety checks as other upload workflows. + - {/*BED-8189*/} Resolved an issue in BloodHound Community where the default `admin` email address used an example value that was misleading in production-like setups. + - {/*BED-8754*/} Resolved focus-state inconsistencies that could make active controls harder to distinguish during keyboard navigation. + + + + ## GitHub Collection Reliability + + - {/*BED-8783*/} Resolved an issue where a stub `GH_Organization` node could overwrite a fully collected organization and incorrectly mark it as not collected. + - {/*BED-8687*/} Resolved an issue that could cause GitHub collections to fail during normalization in early 0.2.x releases. + - {/*BED-8689*/} Resolved issues that made large GitHub collections more likely to stall or fail when GitHub API rate limits were exhausted. + + ## Jamf and Okta Collection Reliability + + - {/*BED-8768, BED-8729, BED-8688*/} Resolved multiple Jamf collector failures involving preprocessing, database lookups, and ingest behavior across 0.2.x releases. + - {/*BED-8692*/} Resolved an issue that could cause Okta and GitHub collections to fail in Kubernetes-based deployments. + + +{/* TODO(doc-follow-up): +- Update docs/manage-bloodhound/auth/users-and-roles.mdx if Auditor access to File Ingest and SSO Configuration is now part of the supported permission matrix. +- Review docs/analyze-data/privilege-zones/rules.mdx for the rule-builder validation and state-preservation changes in this release, and confirm whether Variable Analysis Mode needs separate public documentation. +- Review docs/collect-data/enterprise-collection/monitor.mdx, docs/collect-data/enterprise-collection/create-collector.mdx, and docs/openhound/configuration.mdx for OpenHound version visibility, long-running job heartbeat behavior, and updated troubleshooting guidance. +*/} diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index dd814031..32a9c047 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -20,6 +20,39 @@ SpecterOps is heading to Black Hat USA 2026 with training courses, technical bri We're excited to share that SO-CON talks are now available [online](https://ghst.ly/SOCON26YT). We've also published the presentation slide decks in a public [GitHub repository](https://github.com/SpecterOps/presentations/tree/main/SO-CON%202026). +## 2026-07-07 + +| | | | | | +| --- | --- | --- | --- | --- | +| **Release** | **BloodHound** | **OpenHound** | **SharpHound** | **AzureHound** | +| 2026-07-07 | v9.4.0 | v0.2.10 | No release | No release | + +This release expands ADCS attack path coverage, opens more administration workflows to auditors in read-only mode, and improves OpenHound collection resilience. Key highlights include: + +- **Attack path coverage**: Model ADCS ESC14 Scenario A paths with new certificate-mapping edge coverage. +- **Administration**: Let auditors inspect **File Ingest** and **SSO Configuration** without receiving edit access. +- **OpenHound**: Keep long-running jobs alive, surface deployed versions in BloodHound, and troubleshoot failures with clearer logs. + +### New Features + +| Component | Update | Summary | +| --- | --- | --- | +| Attack Paths | [ADCS ESC14 Scenario A Coverage](/resources/release-notes/2026-07-07#adcs-esc14-scenario-a-coverage) | Analyze certificate-mapping attack paths that rely on `altSecurityIdentities`. | + +### Enhancements + +| Component | Update | Summary | +| --- | --- | --- | +| Administration | [Auditor Access for File Ingest and SSO Configuration](/resources/release-notes/2026-07-07#auditor-access-for-file-ingest-and-sso-configuration) | Let auditors review **File Ingest** activity and **SSO Configuration** details without edit permissions. | +| Data Collection | [More Resilient OpenHound Operations](/resources/release-notes/2026-07-07#more-resilient-openhound-operations) | Keep OpenHound jobs alive longer, surface installed versions in BloodHound, and improve logging and failure handling. | +| API | [Graph ID Lookup APIs](/resources/release-notes/2026-07-07#graph-id-lookup-apis) | Retrieve nodes and relationships by graph-assigned integer IDs for targeted automation and investigation. | +| Privilege Zones | [Privilege Zone Rule Authoring Improvements](/resources/release-notes/2026-07-07#privilege-zone-rule-authoring-improvements) | Preserve rule state across rule types and require valid Cypher results before saving. | +| Accessibility | [Accessibility Improvements](/resources/release-notes/2026-07-07#accessibility-improvements) | Navigate key workflows with clearer focus states, semantic structure, and screen-reader labels. | + +### Fixed Issues + +See the [release notes](/resources/release-notes/2026-07-07#bloodhound-6) for a full list of fixed issues in this release. + ## 2026-06-17 | | | | | | From f9a17084a098b9796cfdde42aa1541c784d1e966 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Tue, 30 Jun 2026 12:08:52 -0500 Subject: [PATCH 02/18] wip: added missing issues for variable analysis mode --- docs/resources/release-notes/2026-07-07.mdx | 9 +++++++++ docs/resources/release-notes/summary.mdx | 1 + 2 files changed, 10 insertions(+) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index 3efa892a..f173e0f8 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -58,6 +58,15 @@ sidebarTitle: "2026-07-07" BloodHound now preserves rule state when you switch between Cypher and Object ID rules, prompts you to rerun Cypher when the query changes, and prevents saving Cypher rules that have not produced valid results. + + {/*BED-8276, BED-8781*/} + ## Variable Analysis Mode + + Review unrealized Privilege Zone analysis changes with Variable Analysis Mode and manage the associated feature flag more directly in supported environments. + + This release adds Variable Analysis Mode support for Privilege Zone analysis workflows and makes the related feature-flag setting user-updatable. + + {/*BED-7222, BED-7215, BED-7212, BED-8290*/} ## Accessibility Improvements diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index 32a9c047..356d77d9 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -47,6 +47,7 @@ This release expands ADCS attack path coverage, opens more administration workfl | Data Collection | [More Resilient OpenHound Operations](/resources/release-notes/2026-07-07#more-resilient-openhound-operations) | Keep OpenHound jobs alive longer, surface installed versions in BloodHound, and improve logging and failure handling. | | API | [Graph ID Lookup APIs](/resources/release-notes/2026-07-07#graph-id-lookup-apis) | Retrieve nodes and relationships by graph-assigned integer IDs for targeted automation and investigation. | | Privilege Zones | [Privilege Zone Rule Authoring Improvements](/resources/release-notes/2026-07-07#privilege-zone-rule-authoring-improvements) | Preserve rule state across rule types and require valid Cypher results before saving. | +| Privilege Zones | [Variable Analysis Mode](/resources/release-notes/2026-07-07#variable-analysis-mode) | Review unrealized Privilege Zone analysis changes and manage the related feature flag more directly. | | Accessibility | [Accessibility Improvements](/resources/release-notes/2026-07-07#accessibility-improvements) | Navigate key workflows with clearer focus states, semantic structure, and screen-reader labels. | ### Fixed Issues From 16efca30a2abe24a25123f05a1498309d303b221 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Tue, 30 Jun 2026 12:14:54 -0500 Subject: [PATCH 03/18] wip: added cypher memory limit boost for enterprise --- docs/resources/release-notes/2026-07-07.mdx | 12 ++++++++++++ docs/resources/release-notes/summary.mdx | 2 ++ 2 files changed, 14 insertions(+) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index f173e0f8..8c80d6f6 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -49,6 +49,17 @@ sidebarTitle: "2026-07-07" BloodHound now exposes [`GET /api/v2/nodes/{node_id}`](/reference/opengraph-experimental/get-node-by-graph-node-id) and [`GET /api/v2/relationships/{relationship_id}`](/reference/opengraph-experimental/get-relationship-by-graph-relationship-id) to simplify targeted integrations and investigation workflows. + + {/*BI-1814*/} + ## Higher Memory Limits for User-Generated Cypher Queries + + BloodHound Enterprise logo + + Run more complex user-generated Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than the previous default allowed. + + This release raises the [`graph_query_memory_limit`](/manage-bloodhound/bh-config#graph_query_memory_limit) setting used for user-generated Cypher queries from `2` to `4`, increasing the memory available to those workflows in hosted enterprise environments. + + {/*BED-8303, BED-7739, BED-8520*/} ## Privilege Zone Rule Authoring Improvements @@ -115,6 +126,7 @@ sidebarTitle: "2026-07-07" {/* TODO(doc-follow-up): - Update docs/manage-bloodhound/auth/users-and-roles.mdx if Auditor access to File Ingest and SSO Configuration is now part of the supported permission matrix. +- Review docs/manage-bloodhound/bh-config.mdx if the documented `graph_query_memory_limit` example or rollout guidance should change after the enterprise fleet configuration update ships. - Review docs/analyze-data/privilege-zones/rules.mdx for the rule-builder validation and state-preservation changes in this release, and confirm whether Variable Analysis Mode needs separate public documentation. - Review docs/collect-data/enterprise-collection/monitor.mdx, docs/collect-data/enterprise-collection/create-collector.mdx, and docs/openhound/configuration.mdx for OpenHound version visibility, long-running job heartbeat behavior, and updated troubleshooting guidance. */} diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index 356d77d9..552f1ce8 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -31,6 +31,7 @@ This release expands ADCS attack path coverage, opens more administration workfl - **Attack path coverage**: Model ADCS ESC14 Scenario A paths with new certificate-mapping edge coverage. - **Administration**: Let auditors inspect **File Ingest** and **SSO Configuration** without receiving edit access. +- **Cypher**: Raise the memory available to user-generated Cypher queries in BloodHound Enterprise so more complex queries and larger **Entity Panel** sections can return successfully. - **OpenHound**: Keep long-running jobs alive, surface deployed versions in BloodHound, and troubleshoot failures with clearer logs. ### New Features @@ -46,6 +47,7 @@ This release expands ADCS attack path coverage, opens more administration workfl | Administration | [Auditor Access for File Ingest and SSO Configuration](/resources/release-notes/2026-07-07#auditor-access-for-file-ingest-and-sso-configuration) | Let auditors review **File Ingest** activity and **SSO Configuration** details without edit permissions. | | Data Collection | [More Resilient OpenHound Operations](/resources/release-notes/2026-07-07#more-resilient-openhound-operations) | Keep OpenHound jobs alive longer, surface installed versions in BloodHound, and improve logging and failure handling. | | API | [Graph ID Lookup APIs](/resources/release-notes/2026-07-07#graph-id-lookup-apis) | Retrieve nodes and relationships by graph-assigned integer IDs for targeted automation and investigation. | +| Cypher (Enterprise) | [Higher Memory Limits for User-Generated Cypher Queries](/resources/release-notes/2026-07-07#higher-memory-limits-for-user-generated-cypher-queries) | Increase the `graph_query_memory_limit` used for user-generated Cypher queries so more complex queries and larger **Entity Panel** sections can return. | | Privilege Zones | [Privilege Zone Rule Authoring Improvements](/resources/release-notes/2026-07-07#privilege-zone-rule-authoring-improvements) | Preserve rule state across rule types and require valid Cypher results before saving. | | Privilege Zones | [Variable Analysis Mode](/resources/release-notes/2026-07-07#variable-analysis-mode) | Review unrealized Privilege Zone analysis changes and manage the related feature flag more directly. | | Accessibility | [Accessibility Improvements](/resources/release-notes/2026-07-07#accessibility-improvements) | Navigate key workflows with clearer focus states, semantic structure, and screen-reader labels. | From 6bcacaca28d43629376b3a26c67867d04211b9e6 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Tue, 30 Jun 2026 12:21:18 -0500 Subject: [PATCH 04/18] wip: add enterprise only tags --- docs/resources/release-notes/2026-07-07.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index 8c80d6f6..0ab26d07 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -73,6 +73,8 @@ sidebarTitle: "2026-07-07" {/*BED-8276, BED-8781*/} ## Variable Analysis Mode + BloodHound Enterprise logo + Review unrealized Privilege Zone analysis changes with Variable Analysis Mode and manage the associated feature flag more directly in supported environments. This release adds Variable Analysis Mode support for Privilege Zone analysis workflows and makes the related feature-flag setting user-updatable. From c04661e935c8b70a8c129a065b0f047a7663154a Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Tue, 30 Jun 2026 14:33:40 -0500 Subject: [PATCH 05/18] wip: copyedited v9.4.0 features and enhancements --- .../auth/users-and-roles.mdx | 2 +- docs/resources/release-notes/2026-07-07.mdx | 102 +++++++++++------- docs/resources/release-notes/summary.mdx | 8 +- 3 files changed, 67 insertions(+), 45 deletions(-) diff --git a/docs/manage-bloodhound/auth/users-and-roles.mdx b/docs/manage-bloodhound/auth/users-and-roles.mdx index 37aef12b..3e675014 100644 --- a/docs/manage-bloodhound/auth/users-and-roles.mdx +++ b/docs/manage-bloodhound/auth/users-and-roles.mdx @@ -69,5 +69,5 @@ For OpenGraph extensions, BloodHound separates read and write permissions. Users | Run collector client on-demand scan \[BHE\] | | | - | - | - | - | | Add, modify, and remove a collector client \[BHE\] | | | - | - | - | - | | Regenerate collector client credentials \[BHE\] | | | - | - | - | - | -| File Ingest | | | - | - | - | | +| File Ingest | | | | - | - | | diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index 0ab26d07..fabd0d4f 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -13,22 +13,39 @@ sidebarTitle: "2026-07-07" Use the filters on the right side of this page to narrow down the updates by component. You can select multiple filters at the same time to refine your results. - + {/*BED-6155*/} - ## ADCS ESC14 Scenario A Coverage + ## ADCS ESC14 Scenario A Attack Paths - Analyze ADCS ESC14 Scenario A attack paths directly in BloodHound so you can identify certificate-mapping abuse paths that rely on `altSecurityIdentities`. + Analyze ADCS ESC14 Scenario A attack paths directly in BloodHound so you can identify explicit certificate-mapping abuse paths that rely on `altSecurityIdentities`. - This release adds graph coverage for [`WriteAltSecurityIdentities`](/resources/edges/write-alt-security-identities) and [`WritePublicInformation`](/resources/edges/write-public-information), helping you surface certificate-based privilege escalation paths that were previously harder to model and investigate. + In [ESC14 Scenario A](https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9), an attacker who can modify a target principal's `altSecurityIdentities` attribute, or who has equivalent control through the `Public-Information` property set, can add an explicit certificate mapping that points to a certificate they control and then authenticate as the target. + + This release adds graph coverage for the following edges, helping you surface certificate-based impersonation and privilege escalation paths that were previously harder to model and investigate: + + - [`WriteAltSecurityIdentities`](/resources/edges/write-alt-security-identities) + - [`WritePublicInformation`](/resources/edges/write-public-information) + + + + {/*BED-8608, BED-8609*/} + ## Graph ID Lookup APIs + + Retrieve details for specific OpenGraph nodes and relationships by their graph-assigned integer IDs. + + BloodHound now exposes the following experimental OpenGraph API endpoints: + + - [`GET /api/v2/nodes/{node_id}`](/reference/opengraph-experimental/get-node-by-graph-node-id) + - [`GET /api/v2/relationships/{relationship_id}`](/reference/opengraph-experimental/get-relationship-by-graph-relationship-id) {/*BED-8518, BED-8519, BED-8588*/} - ## Auditor Access for File Ingest and SSO Configuration + ## Auditor Role Access Improvements - Let auditors review **File Ingest** activity and **SSO Configuration** details without granting edit permissions. + Allow auditors to review **File Ingest** activity and **SSO Configuration** details without granting edit permissions. - Auditors can now access these administration views in a read-only state while actions such as uploading files or creating providers remain restricted to roles with write access. + Auditors can now access these administration views in a read-only state while actions, such as uploading files or creating providers, remain restricted to [roles](/manage-bloodhound/auth/users-and-roles) with write access. @@ -37,56 +54,63 @@ sidebarTitle: "2026-07-07" Keep long-running OpenHound jobs alive, identify deployed client versions more easily, and troubleshoot failures with clearer logs. - OpenHound now continues checking in during active collections to reduce unintended job timeouts, reports its installed version back to BloodHound for better client visibility, improves log readability, handles deferred pipeline failures more consistently, and continues collection more often when single-object errors occur. - + OpenHound now: - - {/*BED-8608, BED-8609*/} - ## Graph ID Lookup APIs - - Retrieve specific nodes and relationships by their graph-assigned integer IDs when you need to automate graph lookups outside the UI. - - BloodHound now exposes [`GET /api/v2/nodes/{node_id}`](/reference/opengraph-experimental/get-node-by-graph-node-id) and [`GET /api/v2/relationships/{relationship_id}`](/reference/opengraph-experimental/get-relationship-by-graph-relationship-id) to simplify targeted integrations and investigation workflows. + - Continues checking in during active collections to reduce unintended job timeouts + - Continues collection more often when single-object errors occur + - Handles deferred pipeline failures more consistently + - Reports its version to BloodHound for visibility on the **Manage Clients** page + - Uses human-readable plain-text logs by default for file and stdout output, while keeping structured JSON as an opt-in format - - {/*BI-1814*/} - ## Higher Memory Limits for User-Generated Cypher Queries + + {/*BED-8303, BED-7739, BED-8520*/} + ## Privilege Zone Rule Authoring Improvements - BloodHound Enterprise logo + Build and validate Privilege Zone rules with less rework when you switch rule types or refine Cypher-based rules. + + BloodHound now: - Run more complex user-generated Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than the previous default allowed. + - Preserves rule state when you switch between Cypher and Object ID rule types + - Prompts you to rerun Cypher when the query changes + - Warns you with a confirmation dialog before saving a Cypher-based rule that returns no results - This release raises the [`graph_query_memory_limit`](/manage-bloodhound/bh-config#graph_query_memory_limit) setting used for user-generated Cypher queries from `2` to `4`, increasing the memory available to those workflows in hosted enterprise environments. + + This helps when you expect a rule to return results after future data collection or changes in your environment. + - - {/*BED-8303, BED-7739, BED-8520*/} - ## Privilege Zone Rule Authoring Improvements + + {/*BED-7222, BED-7215, BED-7212, BED-8290*/} + ## Accessibility Improvements - Build and validate Privilege Zone rules with less rework when you switch rule types or refine Cypher-based rules. + Navigate BloodHound with clearer focus states, more consistent semantic structure, and better screen-reader labeling across key workflows. - BloodHound now preserves rule state when you switch between Cypher and Object ID rules, prompts you to rerun Cypher when the query changes, and prevents saving Cypher rules that have not produced valid results. + This release improves accessible names and labels in administration forms, strengthens visible keyboard focus behavior, and refines headings and page structure to better support assistive technologies. - - {/*BED-8276, BED-8781*/} - ## Variable Analysis Mode + + {/*BI-1814*/} + ## Higher Memory Limits for Cypher Queries BloodHound Enterprise logo - Review unrealized Privilege Zone analysis changes with Variable Analysis Mode and manage the associated feature flag more directly in supported environments. + Run more complex Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than the previous default allowed. - This release adds Variable Analysis Mode support for Privilege Zone analysis workflows and makes the related feature-flag setting user-updatable. + This release raises the [`graph_query_memory_limit`](/manage-bloodhound/bh-config#graph_query_memory_limit) setting for user-generated Cypher queries from 2GB to 4GB in hosted enterprise environments. - - {/*BED-7222, BED-7215, BED-7212, BED-8290*/} - ## Accessibility Improvements + + {/*BED-8276, BED-8781*/} + ## Variable Analysis Mode - Navigate BloodHound with clearer focus states, more consistent semantic structure, and better screen-reader labeling across key workflows. + BloodHound Enterprise logo - This release improves accessible names and labels in administration forms, strengthens visible keyboard focus behavior, and refines headings and page structure to better support assistive technologies. + See Privilege Zone updates reflected in your graph faster. + + When you enable **Variable Analysis Mode** on the **Early Access** page, BloodHound Enterprise can skip post-processing after Privilege Zone changes and re-run only the analysis stages needed to update the graph. + + This reduces the time it takes for updated zone definitions and related findings to appear in the graph. @@ -127,8 +151,6 @@ sidebarTitle: "2026-07-07" {/* TODO(doc-follow-up): -- Update docs/manage-bloodhound/auth/users-and-roles.mdx if Auditor access to File Ingest and SSO Configuration is now part of the supported permission matrix. -- Review docs/manage-bloodhound/bh-config.mdx if the documented `graph_query_memory_limit` example or rollout guidance should change after the enterprise fleet configuration update ships. - Review docs/analyze-data/privilege-zones/rules.mdx for the rule-builder validation and state-preservation changes in this release, and confirm whether Variable Analysis Mode needs separate public documentation. -- Review docs/collect-data/enterprise-collection/monitor.mdx, docs/collect-data/enterprise-collection/create-collector.mdx, and docs/openhound/configuration.mdx for OpenHound version visibility, long-running job heartbeat behavior, and updated troubleshooting guidance. +- Review docs/collect-data/enterprise-collection/monitor.mdx, docs/collect-data/enterprise-collection/create-collector.mdx, and docs/openhound/configuration.mdx for OpenHound version visibility, long-running job heartbeat behavior, updated troubleshooting guidance, and configuration examples (e.g., logs). */} diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index 552f1ce8..6857356d 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -38,7 +38,8 @@ This release expands ADCS attack path coverage, opens more administration workfl | Component | Update | Summary | | --- | --- | --- | -| Attack Paths | [ADCS ESC14 Scenario A Coverage](/resources/release-notes/2026-07-07#adcs-esc14-scenario-a-coverage) | Analyze certificate-mapping attack paths that rely on `altSecurityIdentities`. | +| Data Collection | [ADCS ESC14 Scenario A Coverage](/resources/release-notes/2026-07-07#adcs-esc14-scenario-a-attack-paths) | Analyze certificate-mapping attack paths that rely on a principal's `altSecurityIdentities` attribute. | +| API | [Graph ID Lookup APIs](/resources/release-notes/2026-07-07#graph-id-lookup-apis) | Retrieve nodes and relationships by graph-assigned integer IDs for targeted automation and investigation. | ### Enhancements @@ -46,10 +47,9 @@ This release expands ADCS attack path coverage, opens more administration workfl | --- | --- | --- | | Administration | [Auditor Access for File Ingest and SSO Configuration](/resources/release-notes/2026-07-07#auditor-access-for-file-ingest-and-sso-configuration) | Let auditors review **File Ingest** activity and **SSO Configuration** details without edit permissions. | | Data Collection | [More Resilient OpenHound Operations](/resources/release-notes/2026-07-07#more-resilient-openhound-operations) | Keep OpenHound jobs alive longer, surface installed versions in BloodHound, and improve logging and failure handling. | -| API | [Graph ID Lookup APIs](/resources/release-notes/2026-07-07#graph-id-lookup-apis) | Retrieve nodes and relationships by graph-assigned integer IDs for targeted automation and investigation. | | Cypher (Enterprise) | [Higher Memory Limits for User-Generated Cypher Queries](/resources/release-notes/2026-07-07#higher-memory-limits-for-user-generated-cypher-queries) | Increase the `graph_query_memory_limit` used for user-generated Cypher queries so more complex queries and larger **Entity Panel** sections can return. | -| Privilege Zones | [Privilege Zone Rule Authoring Improvements](/resources/release-notes/2026-07-07#privilege-zone-rule-authoring-improvements) | Preserve rule state across rule types and require valid Cypher results before saving. | -| Privilege Zones | [Variable Analysis Mode](/resources/release-notes/2026-07-07#variable-analysis-mode) | Review unrealized Privilege Zone analysis changes and manage the related feature flag more directly. | +| Zone Builder | [Privilege Zone Rule Authoring Improvements](/resources/release-notes/2026-07-07#privilege-zone-rule-authoring-improvements) | Preserve rule state across rule types and warn before saving Cypher rules that currently return no results. | +| Zone Builder | [Variable Analysis Mode](/resources/release-notes/2026-07-07#variable-analysis-mode) | Reduce the time it takes for Privilege Zone changes to appear in the graph and in related findings. | | Accessibility | [Accessibility Improvements](/resources/release-notes/2026-07-07#accessibility-improvements) | Navigate key workflows with clearer focus states, semantic structure, and screen-reader labels. | ### Fixed Issues From 650b40fef7d6a8320384c24b0ac778c1582468ac Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Tue, 30 Jun 2026 14:38:54 -0500 Subject: [PATCH 06/18] wip: aligned v9.4.0 summary with detailed release notes --- docs/resources/release-notes/summary.mdx | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index 6857356d..17dfe05e 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -29,10 +29,8 @@ We're excited to share that SO-CON talks are now available [online](https://ghst This release expands ADCS attack path coverage, opens more administration workflows to auditors in read-only mode, and improves OpenHound collection resilience. Key highlights include: -- **Attack path coverage**: Model ADCS ESC14 Scenario A paths with new certificate-mapping edge coverage. -- **Administration**: Let auditors inspect **File Ingest** and **SSO Configuration** without receiving edit access. -- **Cypher**: Raise the memory available to user-generated Cypher queries in BloodHound Enterprise so more complex queries and larger **Entity Panel** sections can return successfully. -- **OpenHound**: Keep long-running jobs alive, surface deployed versions in BloodHound, and troubleshoot failures with clearer logs. +- **New edges**: Model ADCS ESC14 Scenario A paths with new certificate-mapping edge coverage. +- **Cypher**: Run more complex Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than the previous default allowed. ### New Features @@ -47,9 +45,9 @@ This release expands ADCS attack path coverage, opens more administration workfl | --- | --- | --- | | Administration | [Auditor Access for File Ingest and SSO Configuration](/resources/release-notes/2026-07-07#auditor-access-for-file-ingest-and-sso-configuration) | Let auditors review **File Ingest** activity and **SSO Configuration** details without edit permissions. | | Data Collection | [More Resilient OpenHound Operations](/resources/release-notes/2026-07-07#more-resilient-openhound-operations) | Keep OpenHound jobs alive longer, surface installed versions in BloodHound, and improve logging and failure handling. | -| Cypher (Enterprise) | [Higher Memory Limits for User-Generated Cypher Queries](/resources/release-notes/2026-07-07#higher-memory-limits-for-user-generated-cypher-queries) | Increase the `graph_query_memory_limit` used for user-generated Cypher queries so more complex queries and larger **Entity Panel** sections can return. | -| Zone Builder | [Privilege Zone Rule Authoring Improvements](/resources/release-notes/2026-07-07#privilege-zone-rule-authoring-improvements) | Preserve rule state across rule types and warn before saving Cypher rules that currently return no results. | -| Zone Builder | [Variable Analysis Mode](/resources/release-notes/2026-07-07#variable-analysis-mode) | Reduce the time it takes for Privilege Zone changes to appear in the graph and in related findings. | +| Cypher (Enterprise) | [Higher Memory Limits for Cypher Queries](/resources/release-notes/2026-07-07#higher-memory-limits-for-cypher-queries) | BloodHound Enterprise now uses a higher memory limit for Cypher queries. | +| Zone Builder | [Privilege Zone Rule Authoring Improvements](/resources/release-notes/2026-07-07#privilege-zone-rule-authoring-improvements) | Preserve rule state across rule types and warn before saving Cypher-based rules that return no results. | +| Zone Builder | [Variable Analysis Mode](/resources/release-notes/2026-07-07#variable-analysis-mode) | Skip post-processing after Privilege Zone changes so updated zone definitions and related findings appear faster in the graph. | | Accessibility | [Accessibility Improvements](/resources/release-notes/2026-07-07#accessibility-improvements) | Navigate key workflows with clearer focus states, semantic structure, and screen-reader labels. | ### Fixed Issues From b95fc574af7454c61d9cb853b33a8b39f674fcbf Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Tue, 30 Jun 2026 15:37:49 -0500 Subject: [PATCH 07/18] wip: copyedited v9.4.0 fixed issues --- docs/resources/release-notes/2026-07-07.mdx | 49 +++++++++++++++------ docs/resources/release-notes/summary.mdx | 1 + 2 files changed, 37 insertions(+), 13 deletions(-) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index fabd0d4f..16237bac 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -48,6 +48,19 @@ sidebarTitle: "2026-07-07" Auditors can now access these administration views in a read-only state while actions, such as uploading files or creating providers, remain restricted to [roles](/manage-bloodhound/auth/users-and-roles) with write access. + + {/*BED-8189*/} + ## Updated Default Admin Email Address + + Use a more appropriate default admin email address in BloodHound Community configuration and example files. + + BloodHound Community now uses `admin@example.com` instead of `spam@example.com` for the [`default_admin.email_address`](/manage-bloodhound/bh-config#default_admin-email_address) configuration property and related examples. + + + Existing workflows that still rely on the previous email address for initial login may need to be updated. + + + {/*BED-8777, BED-8747, BED-8746, BED-8744, BED-8693*/} ## More Resilient OpenHound Operations @@ -114,27 +127,37 @@ sidebarTitle: "2026-07-07" - ## Analysis and API + ## Analysis + + {/*BED-5572*/} Resolved an issue where multi-forest environments that consolidated ADCS into one forest could produce false-positive ADCS ESC attack path edges when a **Computer** node belonged to a different forest than the **Enterprise CA**. - - {/*BED-8136*/} Resolved an issue where [`GET /api/v2/datapipe/status`](/reference/datapipe/get-datapipe-status) did not reliably update `last_analysis_run_at` and did not expose the scheduled-analysis timestamps needed to track analysis cadence. - - {/*BED-5572*/} Resolved an issue where multi-forest environments that shared ADCS infrastructure could produce false-positive attack paths. - - {/*BED-4867*/} Resolved an issue where Azure descendant `related_entity_type` requests could respond too slowly in large tenants. + ## API + + - {/*BED-8136*/} Resolved an issue where the [`GET /api/v2/datapipe/status`](/reference/datapipe/get-datapipe-status) endpoint did not reliably update `last_analysis_run_at` and did not expose the scheduled-analysis timestamps needed to track analysis cadence. + - {/*BED-4867*/} Resolved an issue where the [`related_entity_type`](/reference/azure-entities/get-azure-entity#parameter-related-entity-type) parameter on the **Get Azure entity** endpoint could respond too slowly for descendant objects of large **AZTenant** nodes and degrade the user experience in the UI. + + ## Explore + + - {/*BED-7040*/} Resolved an issue where saved query imports could fail for JSON files that used UTF-8 BOM encoding, including files packaged in ZIP archives. - {/*BED-7883*/} Resolved an issue where Cypher equality comparisons could fail for values that contained special characters. - ## Explore, Posture, and Privilege Zones + ## OpenGraph - - {/*BED-8114*/} Resolved an issue where the **Attack Paths** and **Posture** pages could show inconsistent finding counts. - - {/*BED-8642*/} Resolved an issue where pathfinding involving OpenGraph data could fail unexpectedly. + - {/*BED-8656*/} Resolved an issue where dragging a file onto the **Quick Upload** dialog on the **OpenGraph Management** page could open the wrong dialog. + - {/*BED-8642*/} Resolved an issue where nodes with colons in their names could disappear from the **Search** and **Pathfinding** fields. + - {/*BED-8570*/} Resolved an issue where the OpenGraph extension deletion dialog accepted only one character at a time, preventing confirmation. - {/*BED-8310*/} Resolved an issue where the Privilege Zone object details panel failed to load OpenGraph node data for rule-matched objects. + + ## UI + + - {/*BED-8754*/} Resolved focus-state inconsistencies on dropdown menus that could make active controls harder to distinguish. - {/*BED-8390*/} Resolved an issue where parts of the **Posture** page used browser localization settings inconsistently. - ## Administration, OpenGraph, and UI + ## Findings + + BloodHound Enterprise logo - - {/*BED-8656*/} Resolved an issue where dragging a file into **Quick Upload** on the **OpenGraph Management** page could open the wrong upload dialog. - - {/*BED-8570*/} Resolved an issue where the OpenGraph extension deletion dialog only accepted one character at a time when confirming an extension name. - - {/*BED-7040*/} Resolved an issue where saved-query uploads did not use the same ingest file safety checks as other upload workflows. - - {/*BED-8189*/} Resolved an issue in BloodHound Community where the default `admin` email address used an example value that was misleading in production-like setups. - - {/*BED-8754*/} Resolved focus-state inconsistencies that could make active controls harder to distinguish during keyboard navigation. + {/*BED-8114*/} Resolved an issue where individual attack paths and their finding counts could appear on the **Posture** page but not on the **Attack Paths** page. diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index 17dfe05e..bdeacd6d 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -44,6 +44,7 @@ This release expands ADCS attack path coverage, opens more administration workfl | Component | Update | Summary | | --- | --- | --- | | Administration | [Auditor Access for File Ingest and SSO Configuration](/resources/release-notes/2026-07-07#auditor-access-for-file-ingest-and-sso-configuration) | Let auditors review **File Ingest** activity and **SSO Configuration** details without edit permissions. | +| Administration | [Updated Default Admin Email Address](/resources/release-notes/2026-07-07#updated-default-admin-email-address) | BloodHound Community now uses `admin@example.com` instead of `spam@example.com` in configuration and example files. | | Data Collection | [More Resilient OpenHound Operations](/resources/release-notes/2026-07-07#more-resilient-openhound-operations) | Keep OpenHound jobs alive longer, surface installed versions in BloodHound, and improve logging and failure handling. | | Cypher (Enterprise) | [Higher Memory Limits for Cypher Queries](/resources/release-notes/2026-07-07#higher-memory-limits-for-cypher-queries) | BloodHound Enterprise now uses a higher memory limit for Cypher queries. | | Zone Builder | [Privilege Zone Rule Authoring Improvements](/resources/release-notes/2026-07-07#privilege-zone-rule-authoring-improvements) | Preserve rule state across rule types and warn before saving Cypher-based rules that return no results. | From e7833b1a2d796e61ddc130a4e25c4dc1632a2a96 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Tue, 30 Jun 2026 15:44:54 -0500 Subject: [PATCH 08/18] wip: copyedited v0.2.10 OH fixed issues --- docs/resources/release-notes/2026-07-07.mdx | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index 16237bac..7f67683d 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -161,15 +161,10 @@ sidebarTitle: "2026-07-07" - ## GitHub Collection Reliability - - {/*BED-8783*/} Resolved an issue where a stub `GH_Organization` node could overwrite a fully collected organization and incorrectly mark it as not collected. - - {/*BED-8687*/} Resolved an issue that could cause GitHub collections to fail during normalization in early 0.2.x releases. + - {/*BED-8687*/} Resolved an issue that could cause GitHub collections to fail during normalization. - {/*BED-8689*/} Resolved issues that made large GitHub collections more likely to stall or fail when GitHub API rate limits were exhausted. - - ## Jamf and Okta Collection Reliability - - - {/*BED-8768, BED-8729, BED-8688*/} Resolved multiple Jamf collector failures involving preprocessing, database lookups, and ingest behavior across 0.2.x releases. + - {/*BED-8768, BED-8729, BED-8688*/} Resolved multiple Jamf collector failures involving preprocessing, database lookups, and ingest behavior. - {/*BED-8692*/} Resolved an issue that could cause Okta and GitHub collections to fail in Kubernetes-based deployments. From 08128b5eb31ef0a31336716578df334bf067f769 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Tue, 30 Jun 2026 15:45:19 -0500 Subject: [PATCH 09/18] chore: removed TODOs --- docs/resources/release-notes/2026-07-07.mdx | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index 7f67683d..83353b42 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -167,8 +167,3 @@ sidebarTitle: "2026-07-07" - {/*BED-8768, BED-8729, BED-8688*/} Resolved multiple Jamf collector failures involving preprocessing, database lookups, and ingest behavior. - {/*BED-8692*/} Resolved an issue that could cause Okta and GitHub collections to fail in Kubernetes-based deployments. - -{/* TODO(doc-follow-up): -- Review docs/analyze-data/privilege-zones/rules.mdx for the rule-builder validation and state-preservation changes in this release, and confirm whether Variable Analysis Mode needs separate public documentation. -- Review docs/collect-data/enterprise-collection/monitor.mdx, docs/collect-data/enterprise-collection/create-collector.mdx, and docs/openhound/configuration.mdx for OpenHound version visibility, long-running job heartbeat behavior, updated troubleshooting guidance, and configuration examples (e.g., logs). -*/} From 7d4140ffef5c445b4806ff9836ea2d312b9d7fec Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Wed, 1 Jul 2026 11:56:35 -0500 Subject: [PATCH 10/18] Apply suggestion from @StephenHinck Co-authored-by: Stephen Hinck --- docs/resources/release-notes/2026-07-07.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index 83353b42..5d476574 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -121,7 +121,7 @@ sidebarTitle: "2026-07-07" See Privilege Zone updates reflected in your graph faster. - When you enable **Variable Analysis Mode** on the **Early Access** page, BloodHound Enterprise can skip post-processing after Privilege Zone changes and re-run only the analysis stages needed to update the graph. + When you enable **Variable Analysis Mode** on the **Early Access** page, BloodHound Enterprise can skip post-processing after Privilege Zone changes and re-run only the analysis stages needed to update tagged objects and findings. This reduces the time it takes for updated zone definitions and related findings to appear in the graph. From 6737d0503ead10e7a62f0f0e250ce2d2e528e0f4 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Wed, 1 Jul 2026 12:45:01 -0500 Subject: [PATCH 11/18] chore: add cross refs to supporting docs; align summary with release notes --- docs/resources/release-notes/2026-07-07.mdx | 6 +++--- docs/resources/release-notes/summary.mdx | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index 5d476574..c5e88a4b 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -73,14 +73,14 @@ sidebarTitle: "2026-07-07" - Continues collection more often when single-object errors occur - Handles deferred pipeline failures more consistently - Reports its version to BloodHound for visibility on the **Manage Clients** page - - Uses human-readable plain-text logs by default for file and stdout output, while keeping structured JSON as an opt-in format + - Uses human-readable plain-text [log format](/openhound/configuration#log-format) by default for file and stdout output, while keeping structured JSON as an opt-in format {/*BED-8303, BED-7739, BED-8520*/} ## Privilege Zone Rule Authoring Improvements - Build and validate Privilege Zone rules with less rework when you switch rule types or refine Cypher-based rules. + Build and validate Privilege Zone [rules](/analyze-data/privilege-zones/rules) with less rework when you switch rule types or refine Cypher-based rules. BloodHound now: @@ -121,7 +121,7 @@ sidebarTitle: "2026-07-07" See Privilege Zone updates reflected in your graph faster. - When you enable **Variable Analysis Mode** on the **Early Access** page, BloodHound Enterprise can skip post-processing after Privilege Zone changes and re-run only the analysis stages needed to update tagged objects and findings. + When you enable [Variable Analysis Mode](/analyze-data/findings/analysis#variable-analysis-mode) on the **Early Access** page, BloodHound Enterprise can skip post-processing after Privilege Zone changes and re-run only the analysis stages needed to update tagged objects and findings. This reduces the time it takes for updated zone definitions and related findings to appear in the graph. diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index bdeacd6d..165a4494 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -29,21 +29,21 @@ We're excited to share that SO-CON talks are now available [online](https://ghst This release expands ADCS attack path coverage, opens more administration workflows to auditors in read-only mode, and improves OpenHound collection resilience. Key highlights include: -- **New edges**: Model ADCS ESC14 Scenario A paths with new certificate-mapping edge coverage. +- **New edges**: Model ADCS ESC14 Scenario A attack paths with new certificate-mapping edge coverage. - **Cypher**: Run more complex Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than the previous default allowed. ### New Features | Component | Update | Summary | | --- | --- | --- | -| Data Collection | [ADCS ESC14 Scenario A Coverage](/resources/release-notes/2026-07-07#adcs-esc14-scenario-a-attack-paths) | Analyze certificate-mapping attack paths that rely on a principal's `altSecurityIdentities` attribute. | +| Data Collection | [ADCS ESC14 Scenario A Attack Paths](/resources/release-notes/2026-07-07#adcs-esc14-scenario-a-attack-paths) | Analyze certificate-mapping attack paths that rely on a principal's `altSecurityIdentities` attribute. | | API | [Graph ID Lookup APIs](/resources/release-notes/2026-07-07#graph-id-lookup-apis) | Retrieve nodes and relationships by graph-assigned integer IDs for targeted automation and investigation. | ### Enhancements | Component | Update | Summary | | --- | --- | --- | -| Administration | [Auditor Access for File Ingest and SSO Configuration](/resources/release-notes/2026-07-07#auditor-access-for-file-ingest-and-sso-configuration) | Let auditors review **File Ingest** activity and **SSO Configuration** details without edit permissions. | +| Administration | [Auditor Role Access Improvements](/resources/release-notes/2026-07-07#auditor-role-access-improvements) | Let auditors review **File Ingest** activity and **SSO Configuration** details without edit permissions. | | Administration | [Updated Default Admin Email Address](/resources/release-notes/2026-07-07#updated-default-admin-email-address) | BloodHound Community now uses `admin@example.com` instead of `spam@example.com` in configuration and example files. | | Data Collection | [More Resilient OpenHound Operations](/resources/release-notes/2026-07-07#more-resilient-openhound-operations) | Keep OpenHound jobs alive longer, surface installed versions in BloodHound, and improve logging and failure handling. | | Cypher (Enterprise) | [Higher Memory Limits for Cypher Queries](/resources/release-notes/2026-07-07#higher-memory-limits-for-cypher-queries) | BloodHound Enterprise now uses a higher memory limit for Cypher queries. | From 6075305bb9d0d0fee5a760761978d4524661ea60 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Wed, 1 Jul 2026 13:03:29 -0500 Subject: [PATCH 12/18] fix: link to fixed issues --- docs/resources/release-notes/summary.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index 165a4494..baf13548 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -53,7 +53,7 @@ This release expands ADCS attack path coverage, opens more administration workfl ### Fixed Issues -See the [release notes](/resources/release-notes/2026-07-07#bloodhound-6) for a full list of fixed issues in this release. +See the [release notes](/resources/release-notes/2026-07-07#bloodhound-9) for a full list of fixed issues in this release. ## 2026-06-17 From 9388e2bb269ee23e6932a333bac20361ca39c692 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Wed, 1 Jul 2026 14:46:33 -0500 Subject: [PATCH 13/18] chore: bump OH version and add a fixed issue --- docs/resources/release-notes/2026-07-07.mdx | 3 ++- docs/resources/release-notes/summary.mdx | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index c5e88a4b..f41dd017 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -7,7 +7,7 @@ sidebarTitle: "2026-07-07" | | | | | | | --- | --- | --- | --- | --- | | **Release** | **BloodHound** | **OpenHound** | **SharpHound** | **AzureHound** | -| 2026-07-07 | v9.4.0 | v0.2.10 | No release | No release | +| 2026-07-07 | v9.4.0 | v0.2.11 | No release | No release | Use the filters on the right side of this page to narrow down the updates by component. You can select multiple filters at the same time to refine your results. @@ -166,4 +166,5 @@ sidebarTitle: "2026-07-07" - {/*BED-8689*/} Resolved issues that made large GitHub collections more likely to stall or fail when GitHub API rate limits were exhausted. - {/*BED-8768, BED-8729, BED-8688*/} Resolved multiple Jamf collector failures involving preprocessing, database lookups, and ingest behavior. - {/*BED-8692*/} Resolved an issue that could cause Okta and GitHub collections to fail in Kubernetes-based deployments. + - {/*BED-8855*/} Resolved an issue where OpenHound did not respect the default setting that disables telemetry data. diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index baf13548..c9d8917f 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -25,7 +25,7 @@ We're excited to share that SO-CON talks are now available [online](https://ghst | | | | | | | --- | --- | --- | --- | --- | | **Release** | **BloodHound** | **OpenHound** | **SharpHound** | **AzureHound** | -| 2026-07-07 | v9.4.0 | v0.2.10 | No release | No release | +| 2026-07-07 | v9.4.0 | v0.2.11 | No release | No release | This release expands ADCS attack path coverage, opens more administration workflows to auditors in read-only mode, and improves OpenHound collection resilience. Key highlights include: From 71d9a90c4dbfec344c52c5ea4492628d84d52638 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Wed, 1 Jul 2026 15:05:17 -0500 Subject: [PATCH 14/18] docs: copyedit --- docs/resources/release-notes/2026-07-07.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index f41dd017..5d00d0ac 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -166,5 +166,5 @@ sidebarTitle: "2026-07-07" - {/*BED-8689*/} Resolved issues that made large GitHub collections more likely to stall or fail when GitHub API rate limits were exhausted. - {/*BED-8768, BED-8729, BED-8688*/} Resolved multiple Jamf collector failures involving preprocessing, database lookups, and ingest behavior. - {/*BED-8692*/} Resolved an issue that could cause Okta and GitHub collections to fail in Kubernetes-based deployments. - - {/*BED-8855*/} Resolved an issue where OpenHound did not respect the default setting that disables telemetry data. + - {/*BED-8855*/} Resolved an issue where OpenHound did not respect the default setting that disables anonymous telemetry data. From dd110ad35f7c8e38418452db888f1d5e3ad6f49b Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Wed, 1 Jul 2026 15:08:43 -0500 Subject: [PATCH 15/18] Apply suggestions from code review Co-authored-by: Stephen Hinck --- docs/resources/release-notes/2026-07-07.mdx | 2 +- docs/resources/release-notes/summary.mdx | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index 5d00d0ac..7a5805e4 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -43,7 +43,7 @@ sidebarTitle: "2026-07-07" {/*BED-8518, BED-8519, BED-8588*/} ## Auditor Role Access Improvements - Allow auditors to review **File Ingest** activity and **SSO Configuration** details without granting edit permissions. + Allow auditors to review **File Ingest** activity and **SSO Configuration** details. Auditors can now access these administration views in a read-only state while actions, such as uploading files or creating providers, remain restricted to [roles](/manage-bloodhound/auth/users-and-roles) with write access. diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index c9d8917f..3b0c55ff 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -30,7 +30,7 @@ We're excited to share that SO-CON talks are now available [online](https://ghst This release expands ADCS attack path coverage, opens more administration workflows to auditors in read-only mode, and improves OpenHound collection resilience. Key highlights include: - **New edges**: Model ADCS ESC14 Scenario A attack paths with new certificate-mapping edge coverage. -- **Cypher**: Run more complex Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than the previous default allowed. +- **Cypher**: Run more complex Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than the previously supported. ### New Features @@ -43,7 +43,7 @@ This release expands ADCS attack path coverage, opens more administration workfl | Component | Update | Summary | | --- | --- | --- | -| Administration | [Auditor Role Access Improvements](/resources/release-notes/2026-07-07#auditor-role-access-improvements) | Let auditors review **File Ingest** activity and **SSO Configuration** details without edit permissions. | +| Administration | [Auditor Role Access Improvements](/resources/release-notes/2026-07-07#auditor-role-access-improvements) | Auditors may now review **File Ingest** activity and **SSO Configuration** details. | | Administration | [Updated Default Admin Email Address](/resources/release-notes/2026-07-07#updated-default-admin-email-address) | BloodHound Community now uses `admin@example.com` instead of `spam@example.com` in configuration and example files. | | Data Collection | [More Resilient OpenHound Operations](/resources/release-notes/2026-07-07#more-resilient-openhound-operations) | Keep OpenHound jobs alive longer, surface installed versions in BloodHound, and improve logging and failure handling. | | Cypher (Enterprise) | [Higher Memory Limits for Cypher Queries](/resources/release-notes/2026-07-07#higher-memory-limits-for-cypher-queries) | BloodHound Enterprise now uses a higher memory limit for Cypher queries. | From 4b4c24d873ce9ce4c9390bc494c399e726912d21 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Wed, 1 Jul 2026 15:10:02 -0500 Subject: [PATCH 16/18] docs: copyedit --- docs/resources/release-notes/2026-07-07.mdx | 4 +--- docs/resources/release-notes/summary.mdx | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index 7a5805e4..abe1fbb6 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -108,9 +108,7 @@ sidebarTitle: "2026-07-07" BloodHound Enterprise logo - Run more complex Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than the previous default allowed. - - This release raises the [`graph_query_memory_limit`](/manage-bloodhound/bh-config#graph_query_memory_limit) setting for user-generated Cypher queries from 2GB to 4GB in hosted enterprise environments. + Run more complex Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than were previously supported. diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index 3b0c55ff..333d8487 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -30,7 +30,7 @@ We're excited to share that SO-CON talks are now available [online](https://ghst This release expands ADCS attack path coverage, opens more administration workflows to auditors in read-only mode, and improves OpenHound collection resilience. Key highlights include: - **New edges**: Model ADCS ESC14 Scenario A attack paths with new certificate-mapping edge coverage. -- **Cypher**: Run more complex Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than the previously supported. +- **Cypher**: Run more complex Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than were previously supported. ### New Features From 2036c586b301265b7d33469e36658ace138674cb Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Mon, 6 Jul 2026 08:23:17 -0500 Subject: [PATCH 17/18] chore: removed ADCS ESC14 edges from release notes --- docs/resources/release-notes/2026-07-07.mdx | 14 -------------- docs/resources/release-notes/summary.mdx | 6 ++---- 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/docs/resources/release-notes/2026-07-07.mdx b/docs/resources/release-notes/2026-07-07.mdx index abe1fbb6..e366ad66 100644 --- a/docs/resources/release-notes/2026-07-07.mdx +++ b/docs/resources/release-notes/2026-07-07.mdx @@ -13,20 +13,6 @@ sidebarTitle: "2026-07-07" Use the filters on the right side of this page to narrow down the updates by component. You can select multiple filters at the same time to refine your results. - - {/*BED-6155*/} - ## ADCS ESC14 Scenario A Attack Paths - - Analyze ADCS ESC14 Scenario A attack paths directly in BloodHound so you can identify explicit certificate-mapping abuse paths that rely on `altSecurityIdentities`. - - In [ESC14 Scenario A](https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9), an attacker who can modify a target principal's `altSecurityIdentities` attribute, or who has equivalent control through the `Public-Information` property set, can add an explicit certificate mapping that points to a certificate they control and then authenticate as the target. - - This release adds graph coverage for the following edges, helping you surface certificate-based impersonation and privilege escalation paths that were previously harder to model and investigate: - - - [`WriteAltSecurityIdentities`](/resources/edges/write-alt-security-identities) - - [`WritePublicInformation`](/resources/edges/write-public-information) - - {/*BED-8608, BED-8609*/} ## Graph ID Lookup APIs diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index 333d8487..024f1c38 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -27,16 +27,14 @@ We're excited to share that SO-CON talks are now available [online](https://ghst | **Release** | **BloodHound** | **OpenHound** | **SharpHound** | **AzureHound** | | 2026-07-07 | v9.4.0 | v0.2.11 | No release | No release | -This release expands ADCS attack path coverage, opens more administration workflows to auditors in read-only mode, and improves OpenHound collection resilience. Key highlights include: +This release opens more administration workflows to auditors in read-only mode, and improves OpenHound collection resilience. Key highlights include: -- **New edges**: Model ADCS ESC14 Scenario A attack paths with new certificate-mapping edge coverage. - **Cypher**: Run more complex Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than were previously supported. ### New Features | Component | Update | Summary | | --- | --- | --- | -| Data Collection | [ADCS ESC14 Scenario A Attack Paths](/resources/release-notes/2026-07-07#adcs-esc14-scenario-a-attack-paths) | Analyze certificate-mapping attack paths that rely on a principal's `altSecurityIdentities` attribute. | | API | [Graph ID Lookup APIs](/resources/release-notes/2026-07-07#graph-id-lookup-apis) | Retrieve nodes and relationships by graph-assigned integer IDs for targeted automation and investigation. | ### Enhancements @@ -53,7 +51,7 @@ This release expands ADCS attack path coverage, opens more administration workfl ### Fixed Issues -See the [release notes](/resources/release-notes/2026-07-07#bloodhound-9) for a full list of fixed issues in this release. +See the [release notes](/resources/release-notes/2026-07-07#bloodhound-8) for a full list of fixed issues in this release. ## 2026-06-17 From 8f9a2373da4ad7a304e5123c430c4b95d46b8878 Mon Sep 17 00:00:00 2001 From: Jeff Matthews Date: Mon, 6 Jul 2026 08:56:05 -0500 Subject: [PATCH 18/18] chore: added openhound highlight for v9.4.0 --- docs/resources/release-notes/summary.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/resources/release-notes/summary.mdx b/docs/resources/release-notes/summary.mdx index 024f1c38..59e0887e 100644 --- a/docs/resources/release-notes/summary.mdx +++ b/docs/resources/release-notes/summary.mdx @@ -29,6 +29,7 @@ We're excited to share that SO-CON talks are now available [online](https://ghst This release opens more administration workflows to auditors in read-only mode, and improves OpenHound collection resilience. Key highlights include: +- **OpenHound**: Keep long-running jobs alive, identify deployed client versions more easily, and troubleshoot failures with clearer logs. - **Cypher**: Run more complex Cypher queries in BloodHound Enterprise and return larger **Entity Panel** sections than were previously supported. ### New Features