Using saved queries to define anomalies and highlight authorization risks.
Last updated
Was this helpful?
Risk scoring in Veza helps you identify and prioritize critical authorization issues across your cloud environments, enabling security and governance teams to focus their efforts for maximum impact. By assigning risk levels to queries that detect potentially dangerous access patterns, misconfigurations, or compliance violations, you can:
Triage identity and access issues at scale
Prioritize remediation efforts based on risk severity
Add risk context to access review decisions
Track risk metrics and trends over time
Enable risk-based alerting and automation
Use the Access Intelligence > Access Risks page to get an overview of all queries with risk levels and details about each entity flagged as a risk.
Risks can have informational descriptions and remediation details that help teams understand and address security issues. Many out-of-the-box queries have these built-in, but you can add them for any risk by editing the saved query.
To view risk remediation and details:
Hover over a query to show the "expand" icon
Click the icon to open the sidebar
Review the notes on the Risk Info and Details tabs
Click Details to open the saved query details view
To add risk details and remediations:
Open the Saved Query Details
Click Edit to open in Query Builder
Click Save
On the Details tab, enter the details in the Risk Explanation and Risk Remediation sections. You can use markdown syntax to format the text.
Click Save.
Risk scores in Veza are calculated based on how many queries with risk levels an entity appears in the results of. The scoring system considers both:
The severity of risks (Critical, High, Medium, Low)
The total number of risks affecting an entity
Veza assigns a base score derived from the highest risk level an entity has, then increments the score based on additional risks:
Critical
90
+4
High
75
+3
Medium
50
+2
Low
25
+1
For example: An identity with 1 critical risk, 2 medium risks, and 1 low risk would have a score of 99:
90 (base score for critical)
+4 (1 critical risk)
+4 (2 medium risks at +2 each)
+1 (1 low risk)
Create a query in Access Intelligence > Query Builder or open an existing saved query
When saving the query, set the Risk Level to Warning or Critical
Click Save to apply the risk level
You can also set risk levels for existing queries:
Go to Access Intelligence > Saved Queries
Filter by "Risk Level: None" to find queries without a risk level
Click the Actions dropdown for a query and select Set Risk Level
After creating queries with risk levels, you can investigate results from the Access Intelligence > Access Risks overview:
Use the Risk Queries tab to:
Review all queries with risk levels
Expand a query to view entity details
Filter by label, risk level, and integration.
Sort by time, name, risk level, total risks, or percent change
View trending changes over the selected time period
Open the actions (⋮) menu on the right of each query to:
Manage Exceptions: Select entities to add or remove as exceptions
Manage Risk Level: Set a new risk level for the query
Open in Graph: Analyze entities and relationships in graph search
Open in Query Builder: View results and detailed attributes in Query Builder
Expand Risk Chart: Open the full trend chart, with the option to select a time range and save the image
Use the Risks tab to:
View all individual entities currently flagged as risks
Filter and sort by risk level
Manage exceptions for individual risks
Export risk data for reporting
Use the actions (⋮) menu on the right to:
Open the risk in graph or query builder
Mark the risk as an exception
Add an owner for the risk
Add a note.
When an entity appears in query results with a risk level, it remains flagged as a risk until either:
The entity no longer matches the query conditions
The entity is marked as an exception
To manage exceptions:
On the Risk Queries tab:
Choose a query and click Actions > Manage Exceptions
Or select individual entities and click Mark as Exception
Add an optional note explaining why the exception was made
Click Confirm to save the exception
You can also add filters to the original query to automatically exclude entities matching certain criteria.
Risk scores can provide important context during access reviews:
Create review configurations targeting high-risk entities:
Use saved queries with risk levels to scope the review
Condider higher review frequencies for high-risk access
During review, risk scores are visible to reviewers:
High scores may indicate access should be rejected
Reviewers can click risk indicators to view details
Notes can document risk-based decisions
Create Alert Rules to get notifications when:
The number of entities with risks increases beyond a threshold
New Critical or High risks are detected
Risk scores change significantly
You can configure rules to trigger:
Email notifications
Slack messages
Jira tickets
ServiceNow incidents
Custom webhooks
On-demand Access Reviews
Start with built-in queries that detect common risks like over-privileged access and misconfigurations
Create custom queries for risks specific to your environment and security policies
Use risk scores to prioritize access review scheduling and remediation efforts
Document exceptions with notes to maintain an audit trail
Monitor risk trends over time to measure security program effectiveness
Enable alerts for critical risks that require immediate attention
