Skip to main content
Applies to BloodHound Enterprise and CE Selectors are rules that associate objects with zones and labels based on object ID, object relationships (expansion), and Cypher queries. BloodHound applies any selector changes during the next analysis operation. Zone selectors provide a logical method of ensuring objects appear in the appropriate zone using either a Cypher query or by searching for an object ID. If an object has been added to multiple zones, the most critical zone in your defined hierarchy takes precedence. Label selectors provide a flexible method of tagging objects in an environment. Objects can have multiple labels and you can use those labels to search and filter using Cypher in the Explore page.

Types

Selectors are rules that automatically tag objects into zones or labels. Think of them as the “how” behind the tagging process.
  • Object selectors target specific objects and their related objects through “expansion”
  • Cypher selectors tag objects based on custom query results
  • Default selectors are system-managed and tag critical objects automatically

Selector expansion

Selectors automatically include related objects based on the type of object that you select, expanding through relationships to tag additional objects (some exceptions apply). This “expansion” saves you time by tagging entire groups or organizational units at once. The following sections describe how different object types expand during the tagging process.
You can interrupt automatic inclusion of additional objects into Privilege Zones by requiring manual certification of the additional objects. See Certification to learn more.

Group-like expansion

Objects that behave like groups in Active Directory include all contained members within the zone/label. These include the following type (edge) relationships:

Structured expansion

Objects that provide structural organization include all contained objects within the zone/label. These include the following type (edge) relationships:

Tiered object control and exceptions

During the tagging process for zones, the final step involves tagging all objects that contain (or provide external control of) the selected objects. For example, in Active Directory this means that all OUs, Containers, and GPOs that apply to any Tier Zero object are also tagged to the Tier Zero zone. If any OUs or Containers are tagged in the last step of the tagging process only (not because you explicitly selected them), the process won’t expand to tag other contained objects.

Define a selector

The process and screens for creating and editing selectors is the same for zones and labels. Unless you’re defining a selector as part of the zone or label creation process, be sure to specify a specific zone or label first.
1

Open the Privilege Zones page

If you’re defining a selector as part of the zone or label creation process, skip to Configure selector details below.
  1. In the left menu, click Privilege Zones.
  2. Click the Zones or Labels tab and select a specific zone or label. If you don’t select a zone or label first, the new selector will be associated with the default zone or label selection when you open the page (top position in the Zones or Labels list).
2

Configure selector details

  1. Click Create Selector.
  2. Enter all relevant information for the selector:
Review selector expansion for more information about selector behavior.
FieldRequired?Description
NameYesA unique name for the selector (e.g., PCI Assets)
DescriptionNoA brief description of the selector’s purpose and scope (e.g., PCI assets)
Selector TypeYesThe type of selector to use (e.g., Object ID or Cypher)
Automatic CertificationNo[BHE Only] An option to choose how BloodHound certifies new objects
Automatic Certification options
See Certification to learn more.
  • Initial members: Only the first set of objects in the selector are certified automatically
  • All members: Every object, including those tied to initial members, is certified automatically
  • Off: All certification is manual Define a selector Selector type configuration details
    • Object ID
    • Cypher
    1. In the Object Selector panel, type to search for an object by name or ID.
    2. Click the object to add it to the list of targeted objects. Object ID selector configuration The Sample Results panel displays up to 200 sample results based on the selected object and expansion rules.
    Adding the following object types will automatically include (→) more objects according to the definition below
    • OU/Container → All objects contained in the OU/container
    • Group → All objects with membership in the Group
    • AZResourceGroup/AZSubscription → All objects contained in the RG/Sub
    • AZGroup → All objects with membership in the group
    • AZRole → All objects with role assignments (or eligibility)
3

Complete selector creation

Click Save to finish creating the selector.

Edit or delete a selector

To edit or delete a selector, follow these steps:
Only users with the appropriate permissions can make changes. You cannot delete default selectors.
1

Locate a selector

  1. In the left menu, click Privilege Zones.
  2. Click the Zones or Labels tab and open the Detail View.
  3. Select the zone or label that contains the selector that you want to edit or delete and select it.
    Alternatively, you can use the search bar to quickly find selector if you know the name.
2

Edit or delete a selector

Choose one of the following options:
  • Edit a selector
  • Delete a selector
To edit a selector:
Only users with the appropriate permissions can make changes. You cannot disable some default selectors.
  1. Click Edit to open the selector details.
  2. Make any necessary changes to the selector configuration. For example, you can modify the selector’s name, description, selector type, and certification settings. You can also disable or enable a selector by toggling the Enabled switch under the Selector Status section. Edit a selector
  3. Click Save Edits to apply your changes.