Risks

Using saved queries to define anomalies and highlight authorization risks.

Risk scoring in Veza helps you identify and prioritize critical authorization issues across your cloud environments, enabling security and governance teams to focus their efforts for maximum impact. By assigning risk levels to queries that detect potentially dangerous access patterns, misconfigurations, or compliance violations, you can:

  • Triage identity and access issues at scale

  • Prioritize remediation efforts based on risk severity

  • Add risk context to access review decisions

  • Track risk metrics and trends over time

  • Enable risk-based alerting and automation

Use the Access Intelligence > Access Risks page to get an overview of all queries with risk levels and details about each entity flagged as a risk.

Access Risks overview

Risk Remediation and Details

Risks can have informational descriptions and remediation details that help teams understand and address security issues. Many out-of-the-box queries have these built-in, but you can add them for any risk by editing the saved query.

To view risk remediation and details:

  1. Hover over a query to show the "expand" icon

  2. Click the icon to open the sidebar

  3. Review the notes on the Risk Info and Details tabs

  4. Click Details to open the saved query details view

To add risk details and remediations:

  1. Open the Saved Query Details

  2. Click Edit to open in Query Builder

  3. Click Save

  4. On the Details tab, enter the details in the Risk Explanation and Risk Remediation sections. You can use markdown syntax to format the text.

  5. Click Save.

How Risk Scoring Works

Risk scores in Veza are calculated based on how many queries with risk levels an entity appears in the results of. The scoring system considers both:

  • The severity of risks (Critical, High, Medium, Low)

  • The total number of risks affecting an entity

Risk Score Calculation

Veza assigns a base score derived from the highest risk level an entity has, then increments the score based on additional risks:

Risk Level
Base Score
Points Per Additional Risk

Critical

90

+4

High

75

+3

Medium

50

+2

Low

25

+1

For example: An identity with 1 critical risk, 2 medium risks, and 1 low risk would have a score of 99:

  • 90 (base score for critical)

  • +4 (1 critical risk)

  • +4 (2 medium risks at +2 each)

  • +1 (1 low risk)

Working with Risks

Define Risks from Queries

  1. Create a query in Access Intelligence > Query Builder or open an existing saved query

  2. When saving the query, set the Risk Level to Warning or Critical

  3. Click Save to apply the risk level

You can also set risk levels for existing queries:

  1. Go to Access Intelligence > Saved Queries

  2. Filter by "Risk Level: None" to find queries without a risk level

  3. Click the Actions dropdown for a query and select Set Risk Level

View and Manage Risks

After creating queries with risk levels, you can investigate results from the Access Intelligence > Access Risks overview:

  1. Use the Risk Queries tab to:

    • Review all queries with risk levels

    • Expand a query to view entity details

    • Filter by label, risk level, and integration.

    • Sort by time, name, risk level, total risks, or percent change

    • View trending changes over the selected time period

    • Open the actions () menu on the right of each query to:

      • Manage Exceptions: Select entities to add or remove as exceptions

      • Manage Risk Level: Set a new risk level for the query

      • Open in Graph: Analyze entities and relationships in graph search

      • Open in Query Builder: View results and detailed attributes in Query Builder

      • Expand Risk Chart: Open the full trend chart, with the option to select a time range and save the image

  2. Use the Risks tab to:

    • View all individual entities currently flagged as risks

    • Filter and sort by risk level

    • Manage exceptions for individual risks

    • Export risk data for reporting

    • Use the actions () menu on the right to:

      • Open the risk in graph or query builder

      • Mark the risk as an exception

      • Add an owner for the risk

      • Add a note.

Making Exceptions

When an entity appears in query results with a risk level, it remains flagged as a risk until either:

  • The entity no longer matches the query conditions

  • The entity is marked as an exception

To manage exceptions:

  1. On the Risk Queries tab:

    • Choose a query and click Actions > Manage Exceptions

    • Or select individual entities and click Mark as Exception

  2. Add an optional note explaining why the exception was made

  3. Click Confirm to save the exception

You can also add filters to the original query to automatically exclude entities matching certain criteria.

Using Risk Scores in Access Reviews

Risk scores can provide important context during access reviews:

  1. Create review configurations targeting high-risk entities:

    • Use saved queries with risk levels to scope the review

    • Condider higher review frequencies for high-risk access

  2. During review, risk scores are visible to reviewers:

    • High scores may indicate access should be rejected

    • Reviewers can click risk indicators to view details

    • Notes can document risk-based decisions

Enable Risk-Based Alerting

Create Alert Rules to get notifications when:

  1. The number of entities with risks increases beyond a threshold

  2. New Critical or High risks are detected

  3. Risk scores change significantly

You can configure rules to trigger:

  • Email notifications

  • Slack messages

  • Jira tickets

  • ServiceNow incidents

  • Custom webhooks

  • On-demand Access Reviews

Recommendations

  • Start with built-in queries that detect common risks like over-privileged access and misconfigurations

  • Create custom queries for risks specific to your environment and security policies

  • Use risk scores to prioritize access review scheduling and remediation efforts

  • Document exceptions with notes to maintain an audit trail

  • Monitor risk trends over time to measure security program effectiveness

  • Enable alerts for critical risks that require immediate attention

Last updated

Was this helpful?