BloodHound CE → Microsoft Defender for Identity

BloodHound CE ↔ Microsoft Defender for Identity: integration to migration path.

Microsoft Defender for Identity deploys alongside BloodHound CE first — its DC sensor rolls out to a canary, then forest-wide in waves, while your existing BloodHound graph stays untouched. Only once MDI is proven healthy does it take over continuous detection in phases, with BloodHound running the entire time. No flag day, no detection gap, and every phase rolls back in under 15 minutes.

The honest line we lead with: BloodHound is never retired. MDI takes the runtime SLA; BloodHound keeps ad-hoc Cypher, hybrid pathing and what-if. Both tools stay — that is the design.

Map my migration with an engineer →

The idea

Snapshot graph beside a continuous DC sensor.

The topology that makes this zero-downtime: BloodHound CE stays on a hardened Tier-0 jump host ingesting SharpHound and AzureHound on its own cadence, while the MDI sensor installs on every DC, AD FS, AD CS and Entra Connect host and streams alerts into Defender XDR. The two never talk directly — they share only the same DCs as observation targets and the same SIEM downstream. Because MDI installs are per-DC and zero-downtime by design, adding continuous detection cannot disturb the graph you already query, and the graph cannot perturb the new detection plane.

The phases

Seven steps. Each one reversible.

Baseline & inventory

We classify every DC by FQDN, OS, and replication mode, check EDR sensor-cohabit constraints, confirm Defender XDR tenant and E5 readiness, and inventory the BloodHound side — owned and high-value tags, SharpHound cadence, and UI access. Read-only.

Users see: No user impact.

Rollback: N/A — read-only.

Deploy MDI sensor to a canary DC

The MDI sensor goes onto one non-FSMO DC in a low-traffic site. We confirm it shows Healthy in Defender XDR with the capture driver bound, then inject a synthetic Kerberoast to prove alerting fires. BloodHound is unchanged.

Users see: None — one DC, no end-user effect.

Rollback: Uninstall the sensor service. Under 15 minutes; no identity data altered.

Roll the sensor to every DC in waves

Sensors deploy site by site, smallest first, onto every DC plus AD FS, AD CS and Entra Connect — deploy, wait 48 hours, verify Healthy and alerting, proceed. One DC per site is held sensor-less as a control. BloodHound is unchanged.

Users see: None — installs are zero-downtime by design.

Rollback: Per-DC uninstall. Under 15 minutes.

Tag sensitive accounts; enable LMP and ISPA

We reconcile MDI's sensitive-account tagging against BloodHound's admin_tier_0 set, light up the Lateral Movement Path map, and triage the first ISPA findings into a remediation backlog. BloodHound's high-value tags are the source of truth.

Users see: None for end users; the AD team sees its ISPA backlog for the first time.

Rollback: Untag sensitive accounts in MDI; LMP recomputes. Under 15 minutes.

Route SLAs to MDI; layer the correlation

Defender XDR Identity alerts become the SOC's primary SLA-bearing queue. BloodHound's nightly shortest-path exposure dump lands in a Sentinel custom table and a KQL rule joins the two, so analysts see graph context inline with an MDI alert.

Users see: SOC sees richer alerts with BloodHound exposure context.

Rollback: Disable the custom KQL detection rule. Under 15 minutes; MDI alerts still fire.

Reduce BloodHound runtime overlap

Now that MDI owns continuous detection, SharpHound drops from nightly to weekly and AzureHound moves to weekly, and the BloodHound host is downsized one tier. BloodHound is explicitly not decommissioned — it stays the only ad-hoc Cypher, hybrid-pathing and red-team tool.

Users see: None — only collection cadence changes.

Rollback: Revert to nightly collection. Under 15 minutes.

Steady state — both tools stay

MDI owns continuous detection, the LMP map, ISPA and Defender XDR correlation; BloodHound owns ad-hoc Cypher, hybrid pathing, what-if and sovereign graphs. SharpHound and AzureHound run weekly plus on-demand. This is a steady state, not a project.

Users see: None for sign-in or detection.

Rollback: N/A. Neither tool is retired; a ≥30-day soak gate guards the steady state, re-evaluated annually.

Feature parity

Where BloodHound matches MDI, and where it cannot.

Capability	BloodHound CE	Microsoft Defender for Identity	Parity
AD collection	SharpHound / AzureHound / BloodHound.py collectors (LDAP + SMB enumeration)	MDI DC sensor on every DC, AD FS, AD CS and Entra Connect	Partial
Attack-path graph analysis	BloodHound shortestPath / allShortestPaths Cypher over the Neo4j graph	LMP map only; no arbitrary graph query interface	OSS only
Continuous vs snapshot detection	Per-collection snapshot; HasSession decays in roughly an hour	Continuous DC change-stream telemetry	SaaS only
Real-time IoA (Pass-the-Hash / DCSync)	Models the DCSync right; no runtime telemetry	Continuous PtH/PtT/Golden Ticket plus GetChangesAll DCSync detection in seconds	SaaS only
Identity-to-endpoint correlation	No endpoint table; correlation built by hand in the SIEM	Defender XDR joins IdentityLogonEvents, DeviceLogonEvents and AlertEvidence automatically	SaaS only
Lateral Movement Path map	HasSession plus AdminTo chains overlap conceptually but stale by cadence	MDI LMP map: continuous, anchored on tagged sensitive accounts	SaaS only
Exposure indicators (posture)	SpecterOps customqueries.json (community-maintained)	ISPA plus Microsoft Secure Score for Identity (vendor-curated severity and remediation)	Partial
Remediation guidance	None native	ISPA findings with severity and remediation steps	SaaS only
Hybrid / Entra coverage	AzureHound static graph in the same Cypher graph; no E5 needed	Native Entra hybrid bridge (runtime alert path); E5-gated	Partial
SIEM / SOAR integration	REST export, wire it yourself (the Phase 4 BloodHoundExposure_CL table)	First-class Defender XDR incidents plus Sentinel connector	Partial
ATT&CK mapping	Manual Cypher tagging	AlertInfo.AttackTechniques populated by Microsoft per alert	SaaS only
What-if / owned-principal modelling	owned: true mutable property; mutate the snapshot and re-query	Not supported	OSS only
Deployment model	Self-hosted Postgres + Neo4j bundle on a Tier-0 jump host	DC sensor plus SaaS Defender XDR backend	Partial
Cost model	Free, source-available	M365 E5 or stand-alone per-user licensing	Partial
Compliance evidence	Posture artifacts only; snapshot diffs are not audit logs	IdentityDirectoryEvents audit chain under the M365 DPA	SaaS only

What we're honest about

The caveats most vendors leave out.

BloodHound replaces nothing MDI does at runtime

BloodHound CE is a point-in-time graph analyser with no runtime telemetry — it models the DCSync right but never sees the act, and has zero visibility into Pass-the-Hash, Pass-the-Ticket or Golden Ticket abuse. MDI's continuous DC-sensor detection is mandatory and stays. Any plan that turns MDI off, or BloodHound off, is rejected.

Identity-to-endpoint correlation is SaaS-only

Defender XDR automatically joins identity logon events to device logon events and alert evidence across MDI and Defender for Endpoint in one incident graph, and populates ATT&CK techniques per alert. BloodHound has no endpoint table — that correlation, and the native Entra hybrid alert bridge, cannot be reproduced from a snapshot.

LMP and ISPA have no OSS equivalent

The Lateral Movement Path map is continuous and vendor-curated but only anchors on tagged sensitive accounts, so a freshly-compromised service account stays invisible to it until it pivots — which is exactly why we keep BloodHound for non-anchor, arbitrary-source pathing. ISPA's curated hardening recommendations and Secure Score have no BloodHound parity; BloodHound has no recommendation engine.

The sensor can go silent, and the collector is a prize

Some EDRs anti-tamper against the MDI capture driver, so the sensor can read Healthy while alerts quietly stop — we whitelist Azure ATP Sensor and inject synthetic alerts monthly to catch it. Separately, the SharpHound collector account is itself high-value, so it is locked to the Tier-0 jump host with a dedicated low-priv account. BloodHound snapshots are not audit logs; MDI IdentityDirectoryEvents plus forwarded events are.

Why this beats a flag day

Reversible in minutes, soaked for a month.

Every phase is a per-DC sensor install, a tag reconciliation, or a cron job, so each one rolls back in under 15 minutes — uninstall a sensor, untag an account, or disable a KQL rule, and the rest keeps running. And because this is an integration rather than a cutover, the steady state is gated by a ≥30-day soak with MDI as the primary detection source and zero BloodHound-found-but-MDI-missed Tier-0 paths on the daily delta. There is deliberately no phase that decommissions either tool — only a Phase 6 that retires duplicated effort, re-evaluated annually.

See whether MDI and BloodHound earn their seats together.

A call with a senior identity engineer. We map your DCs, your EDR-cohabit risk, your E5 licensing and your BloodHound tagging discipline, then tell you honestly where MDI's continuous detection is non-negotiable — and where BloodHound's ad-hoc Cypher stays the better tool.

Map my migration →