Certification is an optional process to interrupt automatic inclusion of additional objects in a zone based on rule expansion behavior by requiring manual certification of the additional objects. It allows administrators or power users to manually review and approve objects before they appear in privilege zones.
This process gives you control over zone membership and helps prevent unexpected additions from triggering false findings.
Why use certification?
Without certification, BloodHound automatically includes objects in zones as soon as they match a rule’s expansion criteria. This can create unexpected findings when objects are inadvertently added to privileged groups. For example, if a new user is added to the Domain Admins group, BloodHound immediately tags them to the Tier Zero zone and generates attack path findings for that user. In the preceding example, certification solves this problem by requiring manual approval before objects are fully recognized within a zone. During the certification process, BloodHound still identifies the object’s relationship to the zone but generates a “Non-Certified Principal with Tier Zero Privileges” finding instead of standard attack path findings. This gives you time to review whether the object should remain in the zone or if its group membership was a mistake.BloodHound supports certification for zones only.
How certification works
When you enable certification for a zone:- Objects that match the zone’s rules enter a pending state
- BloodHound generates findings indicating the objects require certification
- Administrators or power users review objects in the Certifications tab
- Once certified, objects are fully recognized in the zone and BloodHound generates standard findings
- Alternatively, you can remove objects from privileged groups to prevent zone membership
Manage certifications
The Certifications tab on the Zone Builder page allows administrators and power users to review certification status and take action on objects in zones where certification has been configured. When you open the Certifications tab, BloodHound selects All Statuses by default. This view helps you confirm whether a specific object is already present in a zone without running separate searches for each certification status. The table title shows All Statuses and the total number of objects currently listed across these statuses: Pending, User Certified, Automatic, and Rejected. The certification table includes the following columns:| Column | Description |
|---|---|
| Type | The object type |
| Status | The certification status for the object |
| Object Name | The display name of the object |
| Environment | The environment where the object exists |
| Zone | The zone that BloodHound Enterprise associates with the object based on the configured zone hierarchy |
| First Seen | The date and time the object was first seen in the zone |
- You can certify or reject certification only for objects in zones where certification is enabled.
- Objects appear in the certification queue only when their rules have Automatic Certification turned off.
Filter certifications
Use the status filter, environment filter, and search box to refine the results.
- By Status
- By Environment
- By Search
Click the status dropdown menu and choose All Statuses, Pending, User Certified, Automatic, or Rejected.All Statuses is selected by default and lists objects across all statuses. The table title updates to match your selection and shows the total number of matching objects.
Actions are only available for certifications that require manual approval. You cannot certify or reject objects with the Automatic status.
Complete the certification action
- Use the checkboxes to select one or more objects.
- Click Certify or Reject as needed.
-
(Optional) Add a note to document the reason for your action.
- Click Skip Note to complete the certification action without a note
-
Click Cancel to exit without completing the certification action
Notes are visible to all BloodHound users in the History Log.