[Feature Request] Ability to save & export settings and custom queries

[BZHuntShampu]

As this enhanced BloodHound project grows, surely more and more customization options will be developed.

It'd be nice to be able to export/import those options along with settings and even customized queries in order to harmonize different instances of BloodHound CE.

[zinic]

We have this feature tracked internally and have plans to implement it. When we start moving on it we will provide updates to this issue.

Initial expectation is that we will support the existing custom query JSON format for import and export.

[StephenHinck]

On re-reading, this is slightly different than #31, so will leave open.

[n3rada]

I'm trying to figure out how the new community version works. I don't understand how to implement the customqueries.json that I had in the old bloodhound operation. If anyone knows...

[StephenHinck]

The queries presented within the UI are presently stored within bhce/packages/javascript/bh-shared-ui/src/commonSearches.tsx. We will be adding mechanisms to more easily import/export saved queries in the future.

[init5-SF]

The queries presented within the UI are presently stored within bhce/packages/javascript/bh-shared-ui/src/commonSearches.tsx. We will be adding mechanisms to more easily import/export saved queries in the future.

Hello @StephenHinck , once this feature has been implemented, is it gonna be announced anywhere?
Thanks!

[StephenHinck]

Yes, all changes to features/functionality are included in release notes and this issue request would be closed at that time.

[MJLpl]

Is there the way to currently get customqueries.json mounted inside docker image?

[StephenHinck]

If you have existing customqueries, you could write a quick API integration to read those files and add them as saved queries within BHCE. See https://support.bloodhoundenterprise.io/hc/en-us/articles/11311053342619 for more details on how to use the API!

[init5-SF]

@StephenHinck hi,
Does bloodhound CE use the same syntax for queries as legacy bloodhound?
I've tried running ciphers manually on the CE version but they threw errors.

[StephenHinck]

It does. However, we still need to pull through support for a few cypher verbs, which is generally where you run into those issues today.

[exploide]

you could write a quick API integration to read those files and add them as saved queries within BHCE

So I did this. I'm developing bloodhound-cli, a CLI tool for the BloodHound CE API. I recently added a queries subcommand to import and export custom queries.

$ bhcli queries my-bloodhound-queries.json
INFO: Imported 12 custom queries.

$ bhcli queries --save queries-backup.json
INFO: Saved 12 queries to queries-backup.json

The --save option produces a comparably simple file format but import is also possible with legacy BloodHound's customqueries.json format. Note that not everything from the latter might be compatible with BloodHound CE.

I hope this is useful for someone.

[init5-SF]

you could write a quick API integration to read those files and add them as saved queries within BHCE

So I did this. I'm developing bloodhound-cli, a CLI tool for the BloodHound CE API. I recently added a queries subcommand to import and export custom queries.

$ bhcli queries my-bloodhound-queries.json
INFO: Imported 12 custom queries.

$ bhcli queries --save queries-backup.json
INFO: Saved 12 queries to queries-backup.json

The --save option produces a comparably simple file format but import is also possible with legacy BloodHound's customqueries.json format. Note that not everything from the latter might be compatible with BloodHound CE.

I hope this is useful for someone.

Hello @exploide, this looks very promising!
Can it actually import any type of custom queries from legacy BloodHound to the CE version?🤔 (i.e. AD CS queries, etc.)
If not, what are the queries that aren't supported yet?

[exploide]

Hello @exploide, this looks very promising!
Can it actually import any type of custom queries from legacy BloodHound to the CE version?🤔 (i.e. AD CS queries, etc.)
If not, what are the queries that aren't supported yet?

It doesn't do any conversion, it just automates the import of queries. If the query uses legacy properties which changed in BHCE, the query won't work (however, the import would probably look successful ). For example the way high value / tier 0 nodes are tagged changed between BloodHound legacy and CE, so this will not be compatible. The ADCS stuff also got completely reinvented.
Furthermore, BloodHound legacy had this optional node selection feature, where you needed to select a node from a selection widget before the query actually runs. This does not exist in BHCE and such queries are not imported by bhcli.

[init5-SF]

Hello @exploide, this looks very promising!
Can it actually import any type of custom queries from legacy BloodHound to the CE version?🤔 (i.e. AD CS queries, etc.)
If not, what are the queries that aren't supported yet?

It doesn't do any conversion, it just automates the import of queries. If the query uses legacy properties which changed in BHCE, the query won't work (however, the import would probably look successful ). For example the way high value / tier 0 nodes are tagged changed between BloodHound legacy and CE, so this will not be compatible. The ADCS stuff also got completely reinvented. Furthermore, BloodHound legacy had this optional node selection feature, where you needed to select a node from a selection widget before the query actually runs. This does not exist in BHCE and such queries are not imported by bhcli.

Huge bummer. :(
Converting legacy queries to the new CE queries format is basically what I've been seeking desperately ever since CE version was released.
If you could add such functionality to bhcli this would be a total lifesaver for a larger number of BH users!

[exploide]

Huge bummer. :(
Converting legacy queries to the new CE queries format is basically what I've been seeking desperately ever since CE version was released.
If you could add such functionality to bhcli this would be a total lifesaver for a larger number of BH users!

I understand your problem but I fear this is no easy task. And while it might be possible to have some kind of conversion script for typical cases (which would probably fail in a lot of edge cases) I don't really see this in scope of bhcli. This would rather be a script on its own. Though haven't seen any of this yet.
I don't know if you deal with hundreds of queries, but I guess many users will just adapt their most important queries by hand.