User Guide
Release Notes

Risks

Using queries to define anomalies and highlight authorization risks.

Risks overview

Veza Risks enable identification and monitoring of the results of any Saved Query. After assigning a Risk Level to a built-in or user-created Query, you can use the Access Intelligence > Risks page to track trends, changes, and individual entities in the query results.

Enabling Show Risks in Graph Search will highlight any entities found in the results of a Query that has a Risk Level. Some built-in queries already have a Risk Level, for quick visibility into common misconfigurations and anomalies.

User-defined risks

To define a Risk from the Query Builder:

  1. Create a query, such as:

    • Entity Type: Okta User.

    • Related To: AWS S3 Bucket.

    • Attribute Filter: Default Encryption Enabled, Equals, false.

    • Tags Filter: PII:PCI.

  2. When saving the query, set the Risk Level to Warning or Critical

To set the Risk Level for an existing Saved Query:

  1. Browse to Access Search > Saved Queries.

  2. Filter by Risk Level: None to find queries without a Risk Level.

  3. Find the query you want to see Risks for.

  4. Click the Actions dropdown for the query, and click Set Risk Level.

To optionally set Alert Rules for notifications and webhooks, click Actions > Configure Alert Rule. Rules will trigger alerts based on changes in the count or properties of query results. For example, a Rule can ensure that critical resources always have two users with administrator permissions in case one account becomes unavailable.

Using the risks panel

After creating a query and setting a Risk Level (or adding a Risk Level to a built-in Query), you can investigate the results from the Access Intelligence > Risks overview. Here, you can:

  • Review all Risk Queries and filter by Risk Level, Integrations, or Labels.

  • See trending changes for the past week or past month.

  • View Risk Query results for a single Query, or all Risks.

  • Open Risks in Graph or Query Builder.

  • Make exceptions for specific entities.

Making exceptions for individual risks

When an entity is in the results for a Query with a Risk Level, Veza flags any entities returned in its results as Risks. Each entity remains a risk until it's no longer in the query results, or it's marked as an exception.

You can manage exceptions in bulk for any query with a risk level using the Risk Queries tab by choosing a query and clicking Actions > Manage Exceptions.

On the Risks tab, use Actions > Mark as Exception to exclude individual entities. Or, find the entities on the list of Risks, and pick one or more using the checkboxes:

You should mark individual entities as exceptions if approved as safe, or not reasonably actionable (such as system users and groups). An optional note can provide other users with context for the decision.

Note that you could also add a filter to the original query, to exclude all entities with a matching attribute from appearing in results.

You can view all queries marked as Risks by filtering Saved Queries by Risk level. To prevent a query from generating Risks, remove the Risk Level using the Saved Queries actions menu.

Risk scores

All entities have a Risk Score attribute that changes based on how many queries with a risk level the entity is in the results of. Risk scores are calculated according to the following rules:

  • Risk scores always range from 0 to 100.

  • Entities with any warning risks start with a base score of 25.

  • Entities with any Critical risks start with a base score of 75.

  • Entities accumulate additional points for each risk: 1 point for a warning risk, and 3 points for a Critical risk.

  • If an entity doesn't have a Critical risk, the maximum score is 75.

  • If an entity has a Critical risk, the maximum score is 100.

PreviousAlert RulesNextEntities

Last updated