User Guide
Release Notes

Rules and Alerts

Conditional notifications for risk and anomaly detection

Overview

Veza's rules engine enables active monitoring of authorization changes within your environment. Rules and Alerts offer ways to establish security baselines based on any custom or built-in assessment query, and trigger notifications and orchestration actions when changes occur. For example, you might use Veza rules to:

  • Identity new or removed accounts with superuser permissions on sensitive resources

  • Get notifications for storage buckets with incorrect configurations

  • Watch for changes to roles, IAM policies, or any other entity Veza has discovered.

When a rule is configured for a saved query, actions will trigger when the query results meet the conditions established by the rule. The baseline query, thresholds, and notification settings for these alert events are set when creating the rule. You can create your own queries to define the rule scope, or choose from built-in assessment queries. Alert notifications can use a webhook, email, or an external integration.

Possible rule and query combinations include:

  • When your environment includes one or more Azure AD groups with no users

  • When a new AWS IAM policy granting access to * resources is detected

  • When the number of federated Okta users with AWS DynamoDB access changes

  • When there are fewer than 2 principles with permissions for critical administrative tasks (in case one becomes unavailable)

To highlight these entities in Search and show risk levels, mark the query as a Risk (in addition to, or instead of, creating an alert rule).

Use the actions dropdown menu to create or edit rules for any assessment in a report. You can create and manage rules when saving a query.

Alert firing logic: Veza's alert system prevents excessive notifications. Once an alert is triggered by a specific condition—such as the result count exceeding 5—it will not re-trigger for the same condition until the metric falls back to or below 5 and then rises above it again.

Add a rule to a query

To create a rule for a saved query, go to Access Search > Saved Queries. You can also create rule directly from the Query Builder or any dashboard.

To add a rule for a saved query:

  1. On the Saved Queries page, filter or search to find a built-in or user-created query. Click Manage Rules from the actions menu to edit rules for the query.

  2. Click Add a new rule to open the rule builder:

  3. Give the rule a name and description, and set the severity level.

    You can configure escalating levels of rules to trigger different actions based on the severity level: High, Medium, or Low.

  4. Configure rule conditions:

    Choose to trigger the rule based on the number of Query Results, or changes in Query Properties:

    • Query Results: Choose an operator (equals, less than, more than, changed by, changed by more than, increased by more than) and count to trigger the rule.

    • Query Properties: Choose an attribute that will trigger the rule if it changes.

  5. Configure rule actions (optional):

    Check the box to deliver the alert via the selected orchestration action: email, webhook, ServiceNow, or Jira. The alert will include details about the query result that triggered the rule for remediation purposes.

    If you have not configured a supported orchestration action, click Create Orchestration Action to open the builder in a new tab. To enable Webhooks and other destinations, see Orchestration Actions.

  6. Click Save to close the rule builder.

  7. On the Save Query flow, add additional rules as desired.

  8. Click Save Query to save your changes.

Once saved and enabled, the rule will appear active on the Rules tab of the Access Intelligence > Rules & Alerts page.

Delivering notifications with alert actions

To deliver the notification via a webhook, email, or Slack, you will first need to create the connection from Integrations > Orchestration Actions. When the rule triggers, a JSON payload will be delivered to the destination address, including:

  • The query and results that triggered the rule

  • The previous query results

  • The entities that changed between the two updates

Supported targets for alerts are:

Viewing alerts

Veza notifications are always enabled for active rules. A notification icon with the number of any new alerts is shown on the Veza navigation menu, with more details available on the Access Intelligence > Rules and Alerts page. The list can be sorted by date or severity.

  • Each row on the Rules tab represents a Query with a rule attached, with the option to view query details, edit the rule, or delete the rule.

  • The Alert Details tab shows individual alert events for each time the rule has been triggered, including the trigger condition and description.

PreviousRisksNextSeparation of Duties (SoD)

Last updated