Risks

Using saved queries to define anomalies and highlight authorization risks.

Risk scoring in Veza helps you identify and prioritize critical authorization issues across your cloud environments, enabling security and governance teams to focus their efforts for maximum impact. By assigning risk levels to queries that detect potentially dangerous access patterns, misconfigurations, or compliance violations, you can:

Triage identity and access issues at scale
Prioritize remediation efforts based on risk severity
Add risk context to access review decisions
Track risk metrics and trends over time
Enable risk-based alerting and automation

Use the Access Intelligence > Risks page to get an overview of all queries with risk levels and details about each entity flagged as a risk.

Risk Remediation and Details

Risks can have informational descriptions and remediation details that help teams understand and address security issues. Many out-of-the-box queries have these built-in, but you can add them for any risk by editing the saved query.

To view risk remediation and details:

Hover over a query to show the "expand" icon
Click the icon to open the sidebar
Review the notes on the Risk Info and Details tabs
Click Details to open the saved query details view

To add risk details and remediations:

Open the Saved Query Details
Click Edit to open in Query Builder
Click Save
On the Details tab, enter the details in the Risk Explanation and Risk Remediation sections. You can use markdown syntax to format the text.
Click Save.

How Risk Scoring Works

Risk scores in Veza are calculated based on how many queries with risk levels an entity appears in the results of. The scoring system intelligently weighs both the severity of risks and their cumulative impact, using an algorithm designed to provide meaningful, comparable scores across all entities.

The algorithm considers:

The severity of the highest risk level (Critical, High, Medium, Low)
The total number and combination of risks affecting an entity
Diminishing returns to prevent score inflation

Risk Score Calculation

Veza uses a scoring algorithm that combines base scores with intelligent weighting to reflect risk severity and cumulative exposure. The algorithm prevents score inflation while accurately reflecting relative severity based on the number and severity of associated risks.

An entity receives a base score determined by its highest risk severity:
- Critical risks start at 75
- High risks start at 50
- Medium risks start at 35
- Low risks start at 10
Additional risks contribute weighted points to the base score through logarithmic scaling:
- The scoring algorithm uses logarithmic scaling to prevent score inflation
- Each additional risk contributes less than the previous one (diminishing returns)
- Lower-severity risks contribute less when higher-severity risks are present
- This approach ensures scores scale better as risk counts increase while maintaining meaningful differentiation

Examples:

Example 1: Single Critical Risk An identity with 1 critical risk receives a score of 75 (the base score for critical risks).

Example 2: Multiple Risk Severities An identity with 5 critical, 7 High, 10 medium, and 15 low severity risks receives a score of approximately 91. Diminishing returns prevent the score from inflating linearly—each additional critical risk contributes less than the previous one.

Example 3: Accumulating Critical Risks An identity with 4 critical risks receives a score of approximately 83, showing how the score increases but with diminishing returns as more risks accumulate.

Example 4: Mixed Severity Risks An identity with 2 high risks, 2 medium risks, and 2 low risks receives a score of approximately 55.

The high risks establish the base score (50), and the additional risks add points. Medium and low risks contribute minimally when higher-severity risks are present.

Understanding Risk Levels and Scores

It is important to understand the relationship between risk queries, scores, and risk level classifications:

Risk Levels: Saved queries are assigned risk levels (Critical, High, Medium, Low)
Risk Scores: When entities appear in risk queries, they receive a calculated score (0-100) based on the number and severity of queries they match

For example, an entity that appears only in High-level risk queries can still receive a score of 75, which places it in the "Critical" risk level category for display purposes. This distinction helps surface entities that have accumulated significant risk exposure even within a single severity category.

Working with Risks

Define Risks from Queries

Create a query in Access Visibility > Query Builder or open an existing saved query
When saving the query, set the Risk Level to Warning or Critical
Click Save to apply the risk level

You can also set risk levels for existing queries:

Go to Access Visibility > Queries
Filter by "Risk Level: None" to find queries without a risk level
Click the Actions dropdown for a query and select Set Risk Level

View and Manage Risks

After creating queries with risk levels, you can investigate results from the Access Visibility > Risks overview:

Use the Risk Queries tab to:
- Review all queries with risk levels
- Expand a query to view entity details
- Filter by label, risk level, and integration.
- Sort by time, name, risk level, total risks, or percent change
- View trending changes over the selected time period
- Open the actions (⋮) menu on the right of each query to:
  - Manage Exceptions: Select entities to add or remove as exceptions
  - Manage Risk Level: Set a new risk level for the query
  - Open in Graph: Analyze entities and relationships in graph search
  - Open in Query Builder: View results and detailed attributes in Query Builder
  - Expand Risk Chart: Open the full trend chart, with the option to select a time range and save the image
Use the Risks tab to:
- View all individual entities currently flagged as risks
- Filter and sort by risk level
- Manage exceptions for individual risks
- Export risk data for reporting
- Use the actions (⋮) menu on the right to:
  - Open the risk in graph or query builder
  - Mark the risk as an exception
  - Add an owner for the risk
  - Add a note.

Making Exceptions

When an entity appears in query results with a risk level, it remains flagged as a risk until either:

The entity no longer matches the query conditions
The entity is marked as an exception

To manage exceptions:

On the Risk Queries tab:
- Choose a query and click Actions > Manage Exceptions
- Or select individual entities and click Mark as Exception
Add an optional note explaining why the exception was made
Click Confirm to save the exception

You can also add filters to the original query to automatically exclude entities matching certain criteria.

Using Risk Scores in Access Reviews

Risk scores can provide important context during access reviews:

Create review configurations targeting high-risk entities:
- Use saved queries with risk levels to scope the review
- Condider higher review frequencies for high-risk access
During review, risk scores are visible to reviewers:
- High scores may indicate access should be rejected
- Reviewers can click risk indicators to view details
- Notes can document risk-based decisions

Enable Risk-Based Alerting

Create Alert Rules to get notifications when:

The number of entities with risks increases beyond a threshold
New Critical or High risks are detected
Risk scores change significantly

You can configure rules to trigger:

Email notifications
Slack messages
Jira tickets
ServiceNow incidents
Custom webhooks
On-demand Access Reviews

Recommendations

Start with built-in queries that detect common risks like over-privileged access and misconfigurations
Create custom queries for risks specific to your environment and security policies
Use risk scores to prioritize access review scheduling and remediation efforts
Document exceptions with notes to maintain an audit trail
Monitor risk trends over time to measure security program effectiveness
Enable alerts for critical risks that require immediate attention

Frequently Asked Questions

Why are you making this change to risk scoring?

We've received feedback from customers that our risk scoring should provide better risk differentiation and manageability. Customers wanted to ensure they have a manageable volume of risks that accurately reflect risk levels in their environment. The improved risk scoring algorithm addresses these concerns by using logarithmic scaling to prevent score inflation, ensuring that critical and high risks remain appropriately prioritized while providing better score distribution across all risk levels.

This is part of an ongoing initiative to enhance our risk scoring capabilities based on customer feedback and evolving security needs.

What changes should I expect to see with the new risk scores?

With the improved risk scoring algorithm, you'll see:

Fewer perfect scores: Scores of 100 will be less common, appearing only for entities with the most severe risk combinations
Better differentiation: Scores are more evenly distributed across the 0-100 range, making it easier to compare and prioritize entities
Maintained severity: Critical and high risk findings continue to score appropriately high
More meaningful scores: The logarithmic scaling ensures that scores accurately represent relative risk levels even as risk counts increase

What is the Bulk Omit feature?

Use "Bulk Omit" to exclude several risk queries from risk score calculations in a single action. This helps you:

Eliminate false positives: Remove queries that flag expected or approved configurations
Refine risk accuracy: Ensure displayed risk scores reflect actual security concerns
Save time: Update multiple exclusions simultaneously rather than one at a time

To use Bulk Omit:

In Query Details > Results view, click on a risk score to view score details in the sidebar
Click Bulk Omit
Select the queries you want to exclude from the calculation
Click Omit Selection to apply the bulk omit action
The risk score will automatically recalculate within a few hours to reflect the changes

This feature is useful when you've identified queries that consistently produce false positives for certain entity types or configurations.

Do I need to update existing rules and alerts based on risk scores?

For most users, no immediate action is needed. However, you should review:

Downstream integrations: If you're passing risk scores to other applications, dashboards, or systems, verify they handle the new score distribution appropriately
Alert thresholds: If you have alerts configured with specific risk score thresholds, you may want to adjust them to account for the improved score distribution
Automation workflows: Any automated processes that trigger based on risk scores should be validated to ensure they still function as expected

We recommend monitoring your risk-based workflows for a short period after the update to ensure they continue to meet your needs.

Can I change a risk score for an individual entity?

Risk scores are calculated automatically based on the risk queries an entity appears in and cannot be manually modified. However, you can influence an entity's risk score by:

Using Bulk Omit: Exclude specific queries from the risk score calculation for that entity
Marking exceptions: Omitting the entity by marking the entity as an exception for a risk query.
Adjusting query criteria: Refine your saved queries to more accurately target genuine risks
Updating risk levels: Change the risk level assigned to specific queries

These approaches help ensure risk scores accurately reflect your organization's risk tolerance and security policies.

Who should I contact for more information or support?

If you have questions about risk scoring or need assistance:

Contact Veza Support: Reach out to your support team for help with risk score configuration, troubleshooting, or questions about the algorithm
Check the Alert Rules and other related documentation for additional guidance

For urgent issues or concerns about risk scoring changes, please contact Veza support immediately.

PreviousScheduled Exports of Query Results via a Secure Email Link NextAnalyze

Last updated 1 month ago

Was this helpful?