How to Set Up Alerts and Evidence Queries
Prerequisites
Access to the Query Library section
At least one integration connected and syncing
For Evidence Queries: knowledge of your compliance framework's control identifiers
Evidence Queries
Navigation: Sidebar > Query Library > Evidences Tab
Evidence queries are saved queries designed to collect compliance evidence mapped to specific controls.
Creating an Evidence Query
Click Query Library in the sidebar.
Switch to the Evidences tab.
Click Create Evidence Query.
Configure the query:
Name — descriptive name (e.g., "MFA Enrollment Evidence - Control AC-2")
Query — the data query that collects relevant evidence
Control Identifier — the compliance control this evidence supports (e.g., "AC-2", "A.9.1.1")
Type — Control (mapped to a framework control) or Custom
Click Save to create the evidence query.
Executing an Evidence Query
On the Evidences tab, find the query you want to run.
Click Execute to run the query.
The system queries your connected integrations and collects the evidence.
Review the results in the live preview panel.
Collected evidence can be used for audit preparation and compliance reporting.
> Tip: Set up evidence queries for each of your key compliance controls. Running them regularly provides automated, audit-ready evidence without manual collection.
Managing Evidence Queries
Edit — modify the query definition or control mapping
Delete — remove queries no longer needed
Filter — filter by evidence type (Control vs Custom)
Scheduled Alerts
Navigation: Sidebar > Query Library > Alerts Tab
Alerts are query-based monitors that run on a schedule and notify you when specific security conditions are detected.
Creating an Alert
Click Query Library in the sidebar.
Switch to the Alerts tab.
Click Create Alert.
Configure the alert:
Name — descriptive name (e.g., "New Critical Vulnerabilities Alert")
Query — the data query that defines what to monitor
Alert Interval — how often to check (in days)
Click Save to create and activate the alert.
How Alerts Work
Alerts run automatically at the configured interval.
When the query returns results matching your criteria, a notification is generated.
You can see the last execution time and next execution time for each alert.
Manually Triggering an Alert
On the Alerts tab, find the alert you want to test.
Click Trigger to run the alert immediately (outside its schedule).
Review the results.
Managing Alerts
Edit — modify the query, interval, or name
Delete — remove alerts no longer needed
View execution history — see last/next execution timestamps
Use Cases
| Use Case | Feature | Example |
|---|
| Audit evidence collection | Evidence Query | "Collect all MFA enrollment records for SOC 2 AC-2" |
| Vulnerability monitoring | Alert | "Alert me when new critical CVEs affect my endpoints" |
| Configuration drift detection | Alert | "Alert me when firewall rules change" |
| Compliance posture tracking | Evidence Query | "Collect encryption status for all databases" |
| Access anomaly detection | Alert | "Alert me when privileged access spikes above normal" |
Troubleshooting
| Issue | Solution |
|---|
| Evidence query returns no results | Verify the source integration is active and contains relevant data. Check the query syntax. |
| Alert not triggering | Verify the alert interval is set correctly. Check that the underlying data source is syncing. |
| Cannot create evidence queries | Verify your role has Evidence and GRC permissions. |
| Cannot create alerts | Verify your role has Alert Create permission. |
| Manual trigger not working | Ensure the query is valid and the data source is accessible. |
Related Articles
How to Use the Query Library
Prerequisites Access to the Query Library section At least one integration connected Accessing the Query Library Navigation: Sidebar → Query Library Click Query Library in the sidebar. The page opens with three tabs. Widgets Tab Manage saved ...
How to Set Up Morning Briefings
Prerequisites Access to the ZIN Copilot At least one integration connected (for data-driven briefings) Your user role properly configured (CISO, Analyst, or GRC) Available Briefing Types Briefing Target Audience Focus Areas CISO Briefing CISOs, VP ...
Getting Started with Interno
Prerequisites Before you begin, ensure you have: An active Zeron account with Interno access Admin or Security Analyst role assigned to your profile At least one security tool/integration ready to connect (e.g., Microsoft Defender, CrowdStrike, AWS) ...
How to Create AI-Powered Dashboards
Prerequisites Access to the Dashboard section At least one integration connected with data Creating an AI Dashboard Navigation: Sidebar → Dashboard → ZIN Dashboard Step 1: Describe What You Need Navigate to the Dashboard section. Select the ZIN ...
How to View the Posture Dashboard
Prerequisites Access to the Dashboard section At least one integration connected and syncing Accessing the Posture Dashboard Navigation: Sidebar → Dashboard Click Dashboard in the sidebar. The Posture Dashboard loads with all available widgets and ...