SpecterOps/BloodHound

Enrichment failed

Closed this issue · 3 comments

JonasBK commented

Issue created on the legacy repo by @janiskleinbergs
SpecterOps/BloodHound-Legacy#689

Hello,
I managed to collect the data using azurehound windows binary from my Azure AD, but upon .json file ingest through Bloodhound CE gui I get a status - failed - Enrichment failed.
Did I missed that I have to configure anything additionally?

web gui console says:
Object { stack: "Ge@http://localhost:8080/ui/assets/index-b920366e.js:1277:85893\nwRe@http://localhost:8080/ui/assets/index-b920366e.js:1279:954\nf@http://localhost:8080/ui/assets/index-b920366e.js:1279:4111\n", message: "Request failed with status code 401", name: "AxiosError", code: "ERR_BAD_REQUEST", config: {…}, request: XMLHttpRequest, response: {…} }
​code: "ERR_BAD_REQUEST"
​config: Object { timeout: 0, xsrfCookieName: "XSRF-TOKEN", xsrfHeaderName: "X-XSRF-TOKEN", … }
​message: "Request failed with status code 401"
​name: "AxiosError"
​request: XMLHttpRequest { readyState: 4, timeout: 0, withCredentials: false, … }
​response: Object { data: {…}, status: 401, statusText: "Unauthorized", … }
​stack: "Ge@http://localhost:8080/ui/assets/index-b920366e.js:1277:85893\nwRe@http://localhost:8080/ui/assets/index-b920366e.js:1279:954\nf@http://localhost:8080/ui/assets/index-b920366e.js:1279:4111\n"
​: Object { constructor: Ge(e, t, n, r, i), toJSON: toJSON(), stack: "", … }
index-b920366e.js:269:24951
onError http://localhost:8080/ui/assets/index-b920366e.js:269
u http://localhost:8080/ui/assets/index-b920366e.js:269
d http://localhost:8080/ui/assets/index-b920366e.js:269

also Docker details panel upon ingest shows:
system32-bloodhound-1 | {"level":"error","time":"2023-08-14T08:22:05.139669565Z","message":"Analysis failed: Collected errors:\n\tError 0: error during azure post: property tenantid: property not found\n"}

zinic commented

@janiskleinbergs

If a tenantid property can not be found on a node then it may be possible that the ingest did not complete or was missing parts. Were there any other errors in the Docker log?

janiskleinbergs commented

@zinic
Ok, I checked ingest files, they definitely have Tenant ID specified (replaced original upon submitting)
"meta": {
"count": 1,
"type": "groups",
"version": 4
},
"data": [
{
"DisplayName": "Name",
"OnPremisesSecurityIdentifier": null,
"ObjectID": "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"TenantID": "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"

Seems there are no other errors, during ingestion I also get:
{"level":"error","time":"date_time","message":"Node 2 is missing property tenantid"}

Not sure what it means and how to work around it?
If it helps - Azure cloud AD is accessed remotely by azurehound data collector, seemingly everything was fine, no errors there...

If I understand correctly then Bloodhound CE itself doesn't need to be authenticated against AD? I mean it just represents the data which is collected by azurehound, which in turn is authenticated against AD upon data collection?

StephenHinck commented

This issue will appear when the Azure tenant object is missing the tenantid field specifically. Validate that is present on the output from AzureHound and potentially re-import. We have released several versions of AzureHound since with collection improvements. Please feel free to re-open if this issue persists with any applicable logs from AzureHound.