FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool. One of the challenging aspects of BloodHound is that it is a snapshot in time.
FalconHound is a blue team multi-tool designed to enhance the power of BloodHound, a graph-based cyber security tool. It allows users to keep a graph of their environment up-to-date, and to gather local group memberships and session information from logs. This information can then be used by BloodHound to trigger alerts or generate enrichment lists. Additionally, FalconHound can be used to add CVE information, Azure activities, recalculate the shortest path to sensitive groups, add new users, groups and computers to the graph, and generate enrichment lists for Sentinel and Splunk.
FalconHound is written in Go and does not require installation. It supports Azure Sentinel, Azure Sentinel Watchlists, Splunk, Microsoft Defender for Endpoint, Neo4j, MS Graph API, and CSV files as data sources and targets. Actions are the core of FalconHound and are written in the native language of the source and target. They are stored in the actions folder and are YAML files. Each action contains the query, some metadata, and the target(s) of the queried information.
FalconHound can be run with the -go parameter to have it run all queries in the actions folder, or with the -ids parameter to run a select set of actions. It can also be run with a different config file or a different actions folder. Additionally, FalconHound can be run with credentials from a keyvault. Credentials can be provided to FalconHound in three ways: via a config.yml file on disk, Keyvault secrets, or a mixed mode.
FalconHound is designed to be run as a scheduled task or cron job, and all log based queries are built to run every 15 minutes. It is recommended to run Sharphound and Azurehound on a regular basis, for example once a day/week or month, and FalconHound every 15 minutes. The project is licensed under the BSD3 License, meaning it can be used for free, even in commercial products, as long as credit is given.
Overall, FalconHound is a powerful tool that can be used to automate the process of gathering and analyzing data from various sources and targets. It can be used to keep a graph of an environment up-to-date, trigger alerts, generate enrichment lists, and more. It is a valuable tool for blue teamers and is licensed under the BSD3 License. For
👉🏽 FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool. One of the challenging aspects of BloodHound is that it is a snapshot in time. 👉🏽 FalconHound enhances the power of BloodHound, a graph-based cyber security tool. 👉🏽 It keeps a graph of the environment up-to-date and gathers session information from logs. 👉🏽 The information collected can be used to trigger alerts and generate enrichment lists. 👉🏽 CVE information, Azure activities, and user/group/computer data can be added to the graph. 👉🏽 It supports Azure Sentinel, Splunk, Microsoft Defender for Endpoint, Neo4j, and CSV files. 👉🏽 Actions are written in the native language of the source and target. 👉🏽 FalconHound can run all queries in the actions folder or a select set of actions. 👉🏽 Different config files and actions folders can be used. 👉🏽 It supports credentials from a keyvault, config.yml file, or Keyvault secrets. 👉🏽 FalconHound automates data gathering and analysis, making it invaluable for blue teamers.
🔗 source link: https://github.com/FalconForceTeam/FalconHound
#FalconHound #BlueTeamTool #DataAutomation #GraphBasedSecurity #BSD3License