Skip to main content
Applies to BloodHound Enterprise and CE Rules are instructions that associate objects with zones and labels based on object ID, object relationships (expansion), and Cypher queries. BloodHound applies any rule changes during the next analysis operation. Zone rules provide a logical method of ensuring objects appear in the appropriate zone using either a Cypher query or by searching for an object ID. If an object has been added to multiple zones, the most critical zone in your defined hierarchy takes precedence. Label rules provide a flexible method of tagging objects in an environment. Objects can have multiple labels and you can use those labels to search and filter using Cypher in the Explore page.

Types

Rules are instructions that automatically tag objects into zones or labels. Think of them as the “how” behind the tagging process.
  • Object rules target specific objects and their related objects through “expansion”
  • Cypher rules tag objects based on custom query results
  • Default rules are system-managed and tag critical objects automatically

Rule expansion

Rules automatically include related objects based on the type of object that you select, expanding through relationships to tag additional objects (some exceptions apply). This “expansion” saves you time by tagging entire groups or organizational units at once. The following sections describe how different object types expand during the tagging process.
You can interrupt automatic inclusion of additional objects into Privilege Zones by requiring manual certification of the additional objects. See Certification to learn more.

Group-like expansion

Objects that behave like groups in Active Directory include all contained members within the zone/label. These include the following type (edge) relationships:

Structured expansion

Objects that provide structural organization include all contained objects within the zone/label. These include the following type (edge) relationships:

Control of tagged object expansion

During the tagging process for zones, the final step involves tagging all objects that contain (or provide external control of) the selected objects. For example, in Active Directory this means that all OUs, Containers, and GPOs that apply to any Tier Zero object are also tagged to the Tier Zero zone. If any OUs or Containers are tagged in the last step of the tagging process only (not because you explicitly selected them), the process won’t expand to tag other contained objects.

Define a rule

The process and screens for creating and editing rules is nearly the same for zones and labels. The primary difference is that certification is a BHE feature available for zones only. Unless you’re defining a rule as part of the zone or label creation process, be sure to specify a specific zone or label first.
1

Open the Privilege Zones page

If you’re defining a rule as part of the zone or label creation process, skip to Configure rule details below.
  1. In the left menu, click Privilege Zones.
  2. Click the Zones or Labels tab and select a specific zone or label. If you don’t select a zone or label first, the new rule will be associated with the default zone or label selection when you open the page (top position in the Zones or Labels summary and detail view).
2

Configure rule details

  1. Click Create Rule.
  2. Enter all relevant information for the rule:
    Review rule expansion for more information about rule behavior.
    FieldRequired?Description
    NameYesA unique name for the rule (e.g., PCI Assets)
    DescriptionNoA brief description of the rule’s purpose and scope (e.g., PCI assets)
    Rule TypeYesThe type of rule to use (e.g., Object ID or Cypher)
    Automatic CertificationNo[BHE Only] An option to choose how BloodHound certifies new objects (available for zones only)
Automatic Certification options
See Certification to learn more.
  • Initial members: Only the first set of objects in the rule are certified automatically
  • All members: Every object, including those tied to initial members, is certified automatically
  • Off: All certification is manual Define a rule Rule type configuration details
    1. In the Object Rule panel, type to search for an object by name or ID.
    2. Click the object to add it to the list of targeted objects. Object ID rule configuration The Sample Results panel displays up to 200 sample results based on the selected object and expansion rules.
    Adding the following object types will automatically include (→) more objects according to the definition below
    • OU/Container → All objects contained in the OU/container
    • Group → All objects with membership in the Group
    • AZResourceGroup/AZSubscription → All objects contained in the RG/Sub
    • AZGroup → All objects with membership in the group
    • AZRole → All objects with role assignments (or eligibility)
3

Complete rule creation

Click Save to finish creating the rule.

Edit or delete a rule

To edit or delete a rule, follow these steps:
Only users with the appropriate permissions can make changes. You cannot delete default rules.
1

Locate a rule

  1. In the left menu, click Privilege Zones.
  2. Click the Zones or Labels tab and open the Detail View.
  3. Select the zone or label that contains the rule that you want to edit or delete and select it.
    Alternatively, you can use the search bar to quickly find rule if you know the name.
2

Edit or delete a rule

Choose one of the following options:
To edit a rule:
Only users with the appropriate permissions can make changes. You cannot disable some default rules.
  1. Click Edit to open the rule details.
  2. Make any necessary changes to the rule configuration. For example, you can modify the rule’s name, description, rule type, and certification settings (available for zones only). You can also disable or enable a rule by toggling the Enabled switch under the Rule Status section. Edit a rule
  3. Click Save Edits to apply your changes.