Skip to main content
Applies to BloodHound Enterprise and CE Rules are instructions that associate objects with zones and labels based on object ID, object relationships (expansion), and Cypher queries. BloodHound applies any rule changes during the next analysis operation. Zone rules provide a logical method of ensuring objects appear in the appropriate zone using either a Cypher query or by searching for an object ID. If an object has been added to multiple zones, the most critical zone in your defined hierarchy takes precedence. Label rules provide a flexible method of tagging objects in an environment. Objects can have multiple labels and you can use those labels to search and filter using Cypher in the Explore page.
If your rules don’t show expected objects, see Troubleshoot missing objects.

Types

Rules are instructions that automatically tag objects into zones or labels. Think of them as the “how” behind the tagging process.
  • Object rules target specific objects and their related objects through “expansion”
  • Cypher rules tag objects based on custom query results
  • Default rules are system-managed and tag critical objects automatically

Rule expansion

Rules automatically include related objects based on the type of object that you select, expanding through relationships to tag additional objects (some exceptions apply). This “expansion” saves you time by tagging entire groups or organizational units at once. The following sections describe how different object types expand during the tagging process.
You can interrupt automatic inclusion of additional objects into Privilege Zones by requiring manual certification of the additional objects. See Certification to learn more.

Group-like expansion

Objects that behave like groups in Active Directory include all contained members within the zone/label. These include the following type (edge) relationships:

Structured expansion

Objects that provide structural organization include all contained objects within the zone/label. These include the following type (edge) relationships:

Control of tagged object expansion

During the tagging process for zones, the final step involves tagging all objects that contain (or provide external control of) the selected objects. For example, in Active Directory this means that all OUs, Containers, and GPOs that apply to any Tier Zero object are also tagged to the Tier Zero zone. If any OUs or Containers are tagged in the last step of the tagging process only (not because you explicitly selected them), the process won’t expand to tag other contained objects.

Define a rule

The process and screens for creating and editing rules is nearly the same for zones and labels. The primary difference is that certification is a BHE feature available for zones only. Unless you’re defining a rule as part of the zone or label creation process, be sure to specify a specific zone or label first.
1

Open the Privilege Zones page

If you’re defining a rule as part of the zone or label creation process, skip to Configure rule details below.
  1. In the left menu, click Privilege Zones.
  2. Click the Zones or Labels tab and select a specific zone or label. If you don’t select a zone or label first, the new rule will be associated with the default zone or label selection when you open the page (top position in the Zones or Labels summary and detail view).
2

Configure rule details

  1. Click Create Rule.
  2. Enter all relevant information for the rule:
    Review rule expansion for more information about rule behavior.
    FieldRequired?Description
    NameYesA unique name for the rule (e.g., PCI Assets)
    DescriptionNoA brief description of the rule’s purpose and scope (e.g., PCI assets)
    Rule TypeYesThe type of rule to use (e.g., Object ID or Cypher)
    Automatic CertificationNo[BHE Only] An option to choose how BloodHound certifies new objects (available for zones only)
Automatic Certification options
See Certification to learn more.
  • Initial members: Only the first set of objects in the rule are certified automatically
  • All members: Every object, including those tied to initial members, is certified automatically
  • Off: All certification is manual Define a rule Rule type configuration details
    • Object ID
    • Cypher
    1. In the Object Rule panel, type to search for an object by name or ID.
    2. Click the object to add it to the list of targeted objects. Object ID rule configuration The Sample Results panel displays up to 200 sample results based on the selected object and expansion rules.
    Adding the following object types will automatically include (→) more objects according to the definition below
    • OU/Container → All objects contained in the OU/container
    • Group → All objects with membership in the Group
    • AZResourceGroup/AZSubscription → All objects contained in the RG/Sub
    • AZGroup → All objects with membership in the group
    • AZRole → All objects with role assignments (or eligibility)
3

Complete rule creation

Click Save to finish creating the rule.

Edit or delete a rule

To edit or delete a rule, follow these steps:
Only users with the appropriate permissions can make changes. You cannot delete default rules.
1

Locate a rule

  1. In the left menu, click Privilege Zones.
  2. Click the Zones or Labels tab and open the Detail View.
  3. Select the zone or label that contains the rule that you want to edit or delete and select it.
    Alternatively, you can use the search bar to quickly find rule if you know the name.
2

Edit or delete a rule

Choose one of the following options:
  • Edit a rule
  • Delete a rule
To edit a rule:
Only users with the appropriate permissions can make changes. You cannot disable some default rules.
  1. Click Edit to open the rule details.
  2. Make any necessary changes to the rule configuration. For example, you can modify the rule’s name, description, rule type, and certification settings (available for zones only). You can also disable or enable a rule by toggling the Enabled switch under the Rule Status section. Edit a rule
  3. Click Save Edits to apply your changes.

Troubleshoot missing objects

If a rule doesn’t show expected objects or appears empty, consider the following common causes:

Domain filter mismatch

The Domain selector filters which objects are visible in the zone or label view. If the selected domain doesn’t contain objects that match your rule criteria, the zone or label may appear empty or incomplete. Solution: Check the domain selector and ensure you’ve selected the correct domain(s) that contain the expected objects.

Zone precedence conflicts

When an object matches rules in multiple zones, only the highest-priority zone in your Zone Order tags that object. Lower-priority zones won’t tag the object, even if their rules match. For example, if an object is tagged by both a Tier Zero rule and a Tier One rule, it will only appear in the Tier Zero zone. Solution: Review your Zone Order and check whether objects are being tagged by higher-priority zones. You can verify this by checking the higher-priority zones for the missing objects.

Object deleted from graph

Objects are automatically deleted from the graph if they haven’t been observed within the configured retention period. BloodHound stores a timestamp on every object that updates whenever a collection includes that object or references to it. This ensures your data remains fresh and accurate over time. By default, objects are retained for 7 days after they were last seen. For Active Directory environments with the AD recycle bin enabled, objects are retained in BloodHound until they’ve been permanently deleted from AD (after the tombstone lifetime, which defaults to 180 days) plus the configured retention period. If an object has been deleted due to retention, it won’t appear in any zone or label, even if a rule targets it. Solution: Check when the object was last seen by viewing the “Last Seen by BloodHound” attribute in the object’s entity panel on the Explore page. Review your data retention settings to understand the configured retention period. If the object reappears in the graph during a future data collection, the rule will automatically capture it (assuming the rule is still enabled).