Saved Queries

Use the Access Search > Saved Queries page to review and manage all queries within Veza. This includes both pre-built assessments and user-created queries composed using the Query Builder.

Veza ships with hundreds of pre-built security queries, organized by integration, category, and use case. Many of these out-of-the-box queries are featured in Veza's dashboards. You can customize reports and dashboards by cloning existing queries, editing them, or creating new queries.

This flexibility enables tailoring Veza insights to your specific security needs and environment. You can use saved queries to:

• Set risk levels for entities: Define Risks, marking entities in the query results with a risk score.

• Define access Review scopes: Choose a saved query when creating a Review Configuration to review the current query results, once or according to a schedule.

• Trigger Alerts, Email Notifications, and Orchestration Actions: Saved queries can trigger Alert Rules when the results or their attribute values meet certain conditions.

• Create shared reports for Veza users and teams: Create custom Reports and Dashboards.

• Identify NHI, critical resources, and privileged roles: Define Enrichment Rules to mark saved query results as privileged roles, human or non-human identities, or set the criticality level of resources that meet the query conditions.

• Export Results: Download or schedule result exports in CSV format, by email or to an integrated Snowflake database.

Managing saved queries

On the Saved Queries page, use the Actions button to the right of each query to choose from available actions, which include:

• Manage Rules: Define and edit Alert Rules for the query.

• View Alerts: Review alert details for the query.

• Schedule Export: Configure Schedule Export for the query.

• Set Risk Level: Define a Risk Level for the query.

• Clone: Create a copy of the query.

• Delete: Remove the query.

• Open in Query Builder: Edit the query.

Editing saved queries

Editing saved queries allows you to refine and customize your security assessments as your environment evolves, and ensure that your security insights remain relevant and accurate over time. You might edit a query to:

• Adjust filters to include or exclude specific entities

• Modify the query scope as new integrations are added

• Update risk levels or alert conditions

• Fine-tune the query for better performance or more targeted results

To edit a saved query:

1. Open the Access Intelligence > Saved Queries page and find a query you want to edit or act on.

2. Click on the query name to edit it in Query Builder.

3. Make any changes and click Save to finish saving the query.

Use the Query Builder Save menu to perform specific actions for the query:

• Quick Save: Quickly save any new filters without changing other settings.

• Save as New: Copy this query to modify it while preserving the original.

• View Details: Show configuration details and metadata for this saved query.

• Edit Configuration: Modify the basic settings of this query, such as name, description, and visibility.

• Edit Rules: Configure or modify alert rules associated with this query.

• Edit Reports: Add this query to reports or remove it from reports it's currently part of.

• Export to CSV: Download the current query results as a comma-separated values (CSV) file.

• Export to Snowflake: Send the query results to a connected Snowflake database.

• Schedule Export: Set up an automated, recurring export of this query's results.

• Copy Query Spec API: Copy the API specification for this query for use with the Veza Query Builder API.

• View Query Spec API: Display the API specification for this query for reference or debugging.

Viewing saved query results

Veza offers different ways to view and analyze saved query results, each suited to different use cases.

We recommend starting with the Query Details view for a quick, accessible overview of your results. From there, you can dive deeper into other views as needed for more detailed analysis.

You can access each view using the Actions menu on the Saved Queries page:

• Query Details: A simplified view of your query results, ideal for:

  • Quick overviews of key findings

  • Reviewing trends and changes over time

  • Accessing associated risks, rules, and reports

• Query Builder: A comprehensive, tabular view of results and query editor. Use this when you need to:

  • Perform detailed analysis of all entity attributes

  • Apply additional filters or modify the query

  • Export granular data for further processing

• Graph: A visual representation of entities and their relationships. This view is best for:

  • Understanding complex access paths

  • Identifying indirect or unexpected connections

  • Exporting a clear picture of your security posture for stakeholders

• Trend Chart: Shows changes in query results over time. Use this to:

  • Track the effectiveness of security measures

  • Identify patterns or anomalies in access behaviors

  • Generate visual reports for compliance and auditing purposes

Assign Risk Levels to Saved Queries

Assigning risk levels to saved queries can help prioritize security efforts and enhance visibility into your organization's risk landscape. By doing so, you:

• Highlight critical security issues that require immediate attention

• Provide context for decision-making during access reviews

• Enable risk-based reporting and tracking of security improvements over time

• Facilitate communication about security priorities across teams and to leadership

• Automate risk-based alerting and response workflows

This risk-based approach allows you to focus resources on the most significant threats to your organization's security posture, making your security operations more efficient and effective.

To enable risks for a query:

1. Find the query on the Access Visibility > Saved Queries page.

2. Expand the Actions dropdown menu and click Set Risk Level.

3. Use the dropdown menu to set the risk level to None, Low, Medium, High, or Critical.

4. Click Save.

After defining a risk using a saved query, entities in the results will be assigned a "Low", "Medium", "High", or "Critical" risk score. The Risk Score varies depending on how many queries with risks an entity is in the results of.

Defining custom risks using saved queries can help reviewers make decisions during access reviews, track risk burndown, and provide visibility into your most critical identities, access controls, services, and resources.

Assign Rules to Saved Queries

Adding rules to saved queries enables automated monitoring and response to changes in your security posture. By creating rules, you can:

• Get notifications when critical access patterns change

• Automate the creation of access reviews for specific conditions

• Trigger remediation workflows when potential risks are detected

• Maintain continuous compliance with internal policies and external regulations

Rules transform static queries into dynamic security controls, helping you proactively manage access risks.

To assign rules to a saved query:

1. Choose Manage Rules from the actions dropdown menu.

2. Use the Rule Builder to define the alert details, conditions, and actions. See Orchestration Actions for more information about configuring emails, integrations, and webhooks as targets.

   1. Click Add New Rule.

   2. Details: Give the rule a name, description, and severity level for categorizing the rule.

   3. Conditions: Trigger the alert based on changes in the query results, or when results have specific properties (often referred to as attributes).

   4. Action | Send Alert: Create alerts shown on the Access Intelligence > Rules & Alerts page, and optionally them using Orchestration Actions.

   5. Action | Create Review: Start a new Review from an existing review Configuration.