Alert Rules

Conditional notifications for risk and anomaly detection

Veza's rules engine enables active monitoring of authorization changes within your environment. Rules and Alerts offer ways to establish security baselines based on any custom or built-in assessment query, and trigger notifications and integrations when changes occur. For example, you might use Veza rules to:

  • Identity new or removed accounts with superuser permissions on sensitive resources

  • Get notifications for storage buckets with incorrect configurations

  • Watch for changes to roles, IAM policies, or any other entity in the data catalog.

You can create rules from Access Search > Saved Queries or Remediation > Rules. The Access Intelligence > Alerts page shows all alerts for configured rules, along with individual events and entities changed.

Using Rules and Alerts

When a Rule is linked to a Query, Alerts will trigger when the query results meet the conditions established by the rule. The baseline query, thresholds, and notification settings for these alert events are set when creating the rule.

Possible rule and query combinations include:

  • when your environment includes one or more Azure AD groups with no users

  • when a new AWS IAM policy granting access to * resources is detected

  • when the number of federated Okta users with AWS DynamoDB access changes

  • when there are fewer than 2 principles with permissions for critical administrative tasks exist (in case one becomes unavailable)

You can use the actions menu to Create a Rule for any assessment query shown in a report, or for any saved query. You can create and manage rules from the Rules page.

To highlight these entities in Search, mark the query as a Risk (in addition to, or instead of, creating an alert rule).

Alert notifications can be pushed to a destination of choice (webhook, email, or external integration). To enable Webhooks and other destinations, see Orchestration Actions.

Alert firing logic: Veza's alert system prevents excessive notifications. Once an alert is triggered by a specific conditionβ€”such as the count of nodes in a result set exceeding 5β€”it will not re-trigger for the same condition until the metric falls back to or below 5 and subsequently rises above it again.

Creating a New Rule

To create a rule based on a saved query or built-in assessment, navigate to Access Search > Saved Queries.

  1. Pick the query to create a rule for. You can use filters and search to find any user-created or pre-built system query.

  2. Choose Create Alert Rule from the actions menu. The builder will pre-populate with the selected query.

  3. Set the rule conditions and optionally choose a destination from the list of configured webhooks, integrations, and email notifications.

  4. On the next screen, set the rule priority by assigning the severity level. Give the rule a name and description, and click Save.

To create a rule based on an existing assessment shown in a Report, open the actions dropdown menu and click Create a Rule. You can also create custom rules from the Remediation > Rules panel.

Assigning Rule Conditions

To set the conditions to trigger an alert, pick from one of the conditions. You can choose to notify based on the total count of results, or an increase or decrease.

Several operators are available:

  • Conditional (triggered when the total results change, increase or decrease)

  • Change-based (triggered based on the number of entities changed at once)

The number value you input will set the threshold to trigger the alert. The condition can check for a percentage-based increase or decrease, or an exact count of occurrences.

Once saved and enabled, the rule will display as active on the Rules tab of the Rules & Alerts panel.

Delivering notifications with alert actions

To deliver the notification via a webhook, email, or Slack, you will first need to create the connection from Integrations > Orchestration Actions. When the rule triggers, a JSON payload will be delivered to the destination address, including:

  • The query and results that triggered the rule

  • The previous query results

  • The entities that changed between the two updates

Viewing Alerts

Veza notifications are always enabled for active rules. A notification icon with the number of any new alerts is shown on the Veza navigation menu, with more details available on the Access Intelligence > Alerts panel. The list can be sorted by date or severity.

  • Each row represents a Rule. You can filter and export the full list to CSV or PDF.

  • Click the β€œ+” button next to the rule name to expand full rule details, including the trigger condition and description.

To see individual alert events for a rule, click View Alerts to list each time the rule has triggered. Click "View Changes" icon in the actions column to view the entities that were added or removed.

You can also export the list of all Alerts using the actions menu for additional processing and off-platform review.

Last updated