Privilege Zones help you organize objects in your environment into logical groups based on their privilege and risk levels. Using Privilege Zones, you can monitor and maintain the security posture of tiered isolation models.
The Privilege Zones feature is available under early access.
Key concepts
The Zone Builder page provides tools for configuring and managing your Privilege Zones. Review the following key concepts to understand how Privilege Zones work and how to use them effectively:| Concept | Description |
|---|---|
| Zone | A group of objects that represents a hierarchy of control across identity providers and services, based on access level. An object can belong to only one zone at a time (the highest-priority zone that matches). |
| Label | A flexible way to categorize objects for searching and filtering. An object can belong to multiple labels simultaneously. |
| Certification | Enterprise Edition An optional review step that pauses automatic inclusion of newly matched objects in a zone until you certify them. |
| History | An audit log of changes made to zones, labels, and related rules. |
BloodHound Enterprise customers can create additional zones to match their organization’s security model. However, analyzing them requires the Privilege Zone Analysis feature (available for purchase). For more information, contact your sales representative.
Object membership
Before working with Privilege Zones, it’s important to understand how BloodHound assigns objects to zones and labels through the analysis process.- Object membership requires rule matching: Objects are only assigned to a zone or label if they match at least one of the zone’s or label’s rules
- Zone membership is exclusive to the highest-priority zone: If multiple zone rules match an object, BloodHound assigns it to the highest-priority zone only
- Objects can have multiple labels: Unlike zones, an object can match multiple label rules simultaneously
Workflow
The following steps represent the general workflow for making changes and validating the results:Configure settings
Make any necessary changes to your zones, labels, and rules on the Zone Builder page.
Save changes
Save your configuration changes to automatically trigger analysis for any settings that affect object membership.All changes that affect object membership require analysis to run before you can validate the results. Actions that require analysis include:
- Creating a new zone or label with a rule definition
- Creating, editing, or deleting a rule definition for an existing zone or label
- Editing the details of a zone or label that has a rule definition
- Deleting a zone or label that has a rule definition
Wait for analysis to complete
Check your tenant status to monitor analysis progress. During analysis, BloodHound re-evaluates object membership against the updated configuration.
Analysis may take several minutes to complete depending on the size of your environment. Until analysis finishes, the Zone Builder Details View and related metrics will not reflect your latest changes.
Validate the results
Validate that your configuration changes have the expected results:
- Navigate to the Zone Builder page and verify that the expected objects are now included in (or excluded from) the relevant zones and labels.
- Review the Attack Paths and Posture pages for new findings or changes in existing findings related to the updated zones and labels.
Common issues
I created a new zone rule but don’t see any objects in the zone.- Analysis may still be running. Wait for it to complete before checking zone membership.
- The rule may not match any objects. Review the rule definition and test with known objects.
- Multiple zone rules may match the same objects. Check if another zone with higher priority is taking precedence for those objects.
- Other rules in the same zone may still match those objects. To see which rules are tagging a specific object, use the object-based search method.
- Analysis may still be running. Wait for completion to see the final result.