Skip to main content
Applies to BloodHound Enterprise and CE Zones define hierarchical privilege levels in your environment based on a tiered administration model. The most common tiering model is Microsoft’s Enterprise Access Model. BloodHound uses zones to measure risk and detect violations. Each zone has a specific tier level (Tier Zero is the default and highest). You can create multiple zones (e.g., Tier One, Tier Two) to match your security model. The Zones tab offers two views:
  • Summary View
  • Detail View
The Summary View shows zone names, selector counts, member count, and their hierarchy relative to other zones (the top zone is most critical).Privilege Zones summary view

Create a zone

Creating a zone involves configuring the zone details and defining a selector.
See Selectors for more detailed information about defining selectors and using certification to control expansion behavior before you create a zone or label. The content in this section provides a high-level overview only.
1

Open the Privilege Zones page

In the left menu, click Privilege Zones > Zones > Create Zone.
2

Configure initial zone details

Enter all relevant information about the zone:
FieldRequired?Description
NameYesA unique name for the zone (e.g., Server Tier)
DescriptionNoA brief description of the zone’s purpose and scope (e.g., PCI assets)
Require CertificationNo[BHE Only] An option to mandate certification for all members within this zone
Apply Custom GlyphNo[BHE Only] Option to apply a custom glyph to visually distinguish members of this zone in the Explore page
Configure a new privilege zone
3

Define a selector

Click Define Selector to save your new Privilege Zone and continue on to define the objects to include in the zone.
See Selectors for more detailed information about defining selectors and using certification to control expansion behavior before you create a zone or label. The content in this section provides a high-level overview only.
When defining a selector during the zone creation process, provide the following information:
FieldRequired?Description
NameYesA unique name for the selector (e.g., PCI Assets)
DescriptionNoA brief description of the selector’s purpose and scope (e.g., PCI assets)
Selector TypeYesThe type of selector to use (e.g., Object ID or Cypher)
Automatic CertificationNo[BHE Only] An option to choose how BloodHound certifies new objects
Define a selector for the privilege zone
4

Complete zone creation

Click Save to finish creating the zone.

Edit or delete a zone

To edit or delete an existing zone, follow these steps:
You cannot delete the default Tier Zero zone, but you can modify its properties. See Modify Tier Zero for more information.
1

Select a zone

Navigate to the Privilege Zones page, select the zone you want to edit or delete, and click Edit.
2

Edit or delete a zone

Choose one of the following actions:
  • Edit a zone
  • Delete a zone
To edit the zone:
  1. Modify one of the available fields. For example, you can modify the zone’s name, description, certification requirements, and custom glyph.
  2. With the exception of the default Tier Zero zone, you can also change the zone’s hierarchical position by using the vertical grip control () in the Zone Order panel to reorder it. Reorder privilege zones
  3. Click Save Edits to apply your changes.