Threat Detection Rules
Threat detection rules are sets of predefined criteria and conditions used to identify potential security threats within a system or network.
Hydden Threat Score Architecture
How Threat Scores Work
Hydden uses threat rules to generate a Threat Score (0–100) for every discovered account. The score is the sum of 8 category totals, each capped at a maximum of 10 points. Category totals are calculated by aggregating the individual rule scores that match on a given account.
The 8 scoring categories are:
| Category | Max Score | Description |
|---|---|---|
| Account Activity | 10 | Stale accounts, failed login attempts |
| Account Statistics | 10 | Z-Score group membership deviations |
| Breach Data | 10 | Accounts affected by public breaches |
| Expired Accounts | 10 | Aggregated expiration data |
| Group Membership | 10 | Excessive group memberships |
| Owner Mapping | 10 | Unmapped, shared, or orphaned accounts |
| Password & Security | 10 | MFA status, password age, password hygiene |
| Privilege | 10 | Privileged groups, roles, unvaulted access |
| Total Threat | 100 | Sum of all category totals |
Threat Score Ranges
Hydden classifies threat scores into three severity levels:
| Range | Severity | Description |
|---|---|---|
| 0–24.99 | Low | Minimal risk indicators |
| 25–74.99 | Moderate | One or more categories contributing elevated risk |
| 75–100 | Critical | Multiple high-risk categories; immediate attention recommended |
Detection-Only vs Scored Rules
Detection-Only Rules
Some threat rules are configured as detection-only. These rules identify and flag matching accounts in reports but do not contribute to the account's threat score. Detection-only rules are useful for monitoring trends (e.g., password age 180+ days) without inflating scores.
Scored rules contribute their configured score value to the relevant category total when they match on an account. Both rule types appear in Search Library reports when Show in Reports is enabled.
Aggregation Methods
The Total Threat aggregation rule combines the 8 category totals into a single account-level score. The aggregation method can be configured to one of three options:
| Method | Description |
|---|---|
| Totals Average (default) | Averages the 8 category totals to produce the final score |
| Maximum | Uses the highest single category total as the final score |
| Weighted Average | Applies configurable weights to each category before averaging |
NOTE
Contact Hydden Support to change the aggregation method for your tenant.
Aggregation rules then combine account-level threat scores to produce owner-level and tenant-level threat scores.
Tips to Improve Your Score
Use the Search Library to run reports with filters to identify categories and/or individual rules that negatively impact each account.
Target rules and categories with the highest values first for the greatest impact on reducing threat scores. Start from owners with high threat scores. Then drill into accounts, then categories to find the most impactful rules.
Supported Compliance Frameworks
Threat rules can be mapped to compliance framework controls. The following frameworks are supported:
| Framework | Description |
|---|---|
| NIST CSF V2.0 | NIST Cybersecurity Framework Version 2.0 |
| CIS | Center for Internet Security Controls |
| CRITIER4V2 | CRITIER Framework Version 2 |
Each rule can reference a specific framework and control function (e.g., NIST CSF V2.0 / PR.AA-05).
Rule Properties Reference
Each threat detection rule supports the following configuration properties:
| Property | Description |
|---|---|
| Name | Descriptive name for the rule |
| Score | Impact value (0–10) contributed to the category total |
| Propagation Type | How scores aggregate: max (highest match wins) or sum (all matches added) |
| Show in Reports | Whether the rule appears in Search Library reports |
| Show in Impact | Whether the rule contributes to the Identity Posture threat score |
| Disabled | Whether the rule is inactive (present but not evaluated) |
| Detection Only | Whether the rule flags accounts without contributing to the score |
| Is Alert | Whether the rule triggers an alert notification |
| Is Repeatable | Whether the rule can trigger multiple times for the same account |
| Allow Workflow Trigger | Whether the rule can trigger automated workflows |
| Platform Filter | Restricts the rule to specific platforms |
| Data Source Filter | Restricts the rule to specific data sources |
| Framework | Compliance framework reference (e.g., NIST CSF V2.0) |
| Function | Specific framework control function (e.g., PR.AA-03) |
| Recommendation | Suggested remediation action for matching accounts |