Details
Content
Dependencies
Version History

Reco is an identity-first SaaS security solution that empowers organizations with full visibility into every app, identity, and their actions to seamlessly prioritize and control risks in the SaaS ecosystem

Reco

Reco is an identity-first SaaS security solution.
It empowers organizations with full visibility into every app, identity, and their actions to seamlessly prioritize and control risks in the SaaS ecosystem. Their AI-based graph technology connects in minutes and provides immediate value to security teams to continuously discover all SaaS applications including sanctioned and unsanctioned apps, associated identities from both humans and machines, their permission level, and actions. Reco uses advanced analytics around persona, actions, interactions and relationships to other users, and then alerts on exposure from misconfigurations, over-permission users, compromised accounts, and risky user behavior. This comprehensive picture is generated continuously using the Reco Identities Interaction Graph and empowers security teams to take swift action to effectively prioritize their most critical points of risk.
Reco helps organizations secure the identities and data of core SaaS applications including Salesforce, Microsoft 365 (including SharePoint, Teams, and OneDrive), Google Workspace, Workday, ServiceNow, Slack, Zoom, Okta, Monday.com, NetApp, Wiz, GitLab, Confluence, and Box.
The Reco and Palo Alto Networks Cortex XSOAR integration empower organizations to automate SaaS threat detection and remediation workflows for enhanced protection. Reco integrates with over 985 Cortex XSOAR content packs, the market’s leading SOAR platform.

What does this pack do?

• Assess over 100 configuration rules unified across SaaS applications.
• Access Reco data risk alerts
• Trigger automatic remediation flows to discover SaaS misconfigurations
• Seamlessly integrate alerts into Cortex XSOAR's incident management system
• Leverage prebuilt playbooks within Cortex XSOAR to automate the entire process of identifying and remediating SaaS misconfigurations and data exposure risks

Benefits to organizations:

• Gain better visibility into potential SaaS misconfigurations and take proactive measures to mitigate them
• Streamline threat detection, automate remediation workflows, and fortify your organization's security posture.
• Investigate and respond to critical alerts promptly and effectively
• Reduce manual effort, accelerating incident response, and improving overall security posture
• Enforce user-data centric security policies and embrace new SaaS applications at a faster rate
• Adhere to compliance requirements

Integrations

Supported commands to query Reco platform:
update-reco-incident-timeline - Update Reco incident timeline
resolve-visibility-event - Resolve Reco visibility event
reco-get-risky-users - Get risky users
reco-add-risky-user-label - Add risky user
reco-get-assets-user-has-access-to - Get assets user has access to (optional to get only sensitive assets)
reco-add-leaving-org-user-label - Add leaving org user label in Reco
reco-get-sensitive-assets-by-name - Get sensitive assets by name (optional to search by regex)
reco-get-sensitive-assets-by-id - Get sensitive assets by file id
reco-get-files-shared-with-3rd-parties - Get 3rd parties list with access to files
reco-get-3rd-parties-accessible-to-data-list - Get files shared with 3rd parties
reco-get-sensitive-assets-with-public-link - Get sensitive assets publicly exposed
reco-get-user-context-by-email-address - Get user context by email address

For more information on Reco, please visit www.reco.ai

Reco

Reco is an identity-first SaaS security solution.
It empowers organizations with full visibility into every app, identity, and their actions to seamlessly prioritize and control risks in the SaaS ecosystem. Their AI-based graph technology connects in minutes and provides immediate value to security teams to continuously discover all SaaS applications including sanctioned and unsanctioned apps, associated identities from both humans and machines, their permission level, and actions. Reco uses advanced analytics around persona, actions, interactions and relationships to other users, and then alerts on exposure from misconfigurations, over-permission users, compromised accounts, and risky user behavior. This comprehensive picture is generated continuously using the Reco Identities Interaction Graph and empowers security teams to take swift action to effectively prioritize their most critical points of risk.
Reco helps organizations secure the identities and data of core SaaS applications including Salesforce, Microsoft 365 (including SharePoint, Teams, and OneDrive), Google Workspace, Workday, ServiceNow, Slack, Zoom, Okta, Monday.com, NetApp, Wiz, GitLab, Confluence, and Box.
The Reco and Palo Alto Networks Cortex XSIAM integration empower organizations to automate SaaS threat detection and remediation workflows for enhanced protection. Reco integrates with over 985 Cortex XSIAM content packs, the market’s leading SOAR platform.

What does this pack do?

• Assess over 100 configuration rules unified across SaaS applications.
• Access Reco data risk alerts
• Trigger automatic remediation flows to discover SaaS misconfigurations
• Seamlessly integrate alerts into Cortex XSIAM's incident management system
• Leverage prebuilt playbooks within Cortex XSIAM to automate the entire process of identifying and remediating SaaS misconfigurations and data exposure risks

Benefits to organizations:

Integrations

Supported commands to query Reco platform:
update-reco-incident-timeline - Update Reco incident timeline
resolve-visibility-event - Resolve Reco visibility event
reco-get-risky-users - Get risky users
reco-add-risky-user-label - Add risky user
reco-get-assets-user-has-access-to - Get assets user has access to (optional to get only sensitive assets)
reco-add-leaving-org-user-label - Add leaving org user label in Reco
reco-get-sensitive-assets-by-name - Get sensitive assets by name (optional to search by regex)
reco-get-sensitive-assets-by-id - Get sensitive assets by file id
reco-get-files-shared-with-3rd-parties - Get 3rd parties list with access to files
reco-get-3rd-parties-accessible-to-data-list - Get files shared with 3rd parties
reco-get-sensitive-assets-with-public-link - Get sensitive assets publicly exposed
reco-get-user-context-by-email-address - Get user context by email address

For more information on Reco, please visit www.reco.ai

Incident Types

Name	Description
SaaS Data Leakage

Integrations

Name	Description
Reco (Partner Contribution)	Reco is a Saas data security solution that protects your data from accidental leaks and malicious attacks.

Layouts

Name	Description
Reco Finding

Playbooks

Name	Description
Reco - Reduce Risk - Google Publicly Exposed Files	The "Reco - Reduce Risk - Google Publicly Exposed Files" playbook aims to identify and mitigate the risk associated with publicly exposed sensitive files on Google Drive. It follows a sequence of tasks to detect such files, analyze their locations, and remove the "anyone with link" permission to enhance data security.
Reco Google Drive Automation	Automate Google Drive alert remediation with our solution that revokes over-access permissions and shares file details and links with end-users via Slack. Reco workflow seamlessly integrates with Palo Alto Networks' Demisto platform to resolve the alert and streamline your organization's security operations. By automating remediation, you can ensure that sensitive data is protected and that end-users are promptly notified of any changes to their file access. With our solution, you can close alerts in Demisto and improve your organization's security posture with minimal effort.
Reco-Google-Drive-Revoke-Permissions	This workflow enables you to easily list the permissions of files stored in Google Drive, giving you visibility into who has access to your organization's data. If a file's permission is publicly exposed, the workflow restricts access to the file to prevent unauthorized use. Similarly, if a file's permission is set to accessible by all org users and shared with internal users, access to the file is restricted to authorized users only. Using the Google Drive API and built-in conditional logic, this workflow helps you secure sensitive data and streamline your organization's data management.
Reco Build String Message	Build a string message from list of files (file name, link)

Incident Types

Name	Description
SaaS Data Leakage

Integrations

Name	Description
Reco (Partner Contribution)	Reco is a Saas data security solution that protects your data from accidental leaks and malicious attacks.

Playbooks

Name	Description
Reco Google Drive Automation	Automate Google Drive alert remediation with our solution that revokes over-access permissions and shares file details and links with end-users via Slack. Reco workflow seamlessly integrates with Palo Alto Networks' Demisto platform to resolve the alert and streamline your organization's security operations. By automating remediation, you can ensure that sensitive data is protected and that end-users are promptly notified of any changes to their file access. With our solution, you can close alerts in Demisto and improve your organization's security posture with minimal effort.
Reco - Reduce Risk - Google Publicly Exposed Files	The "Reco - Reduce Risk - Google Publicly Exposed Files" playbook aims to identify and mitigate the risk associated with publicly exposed sensitive files on Google Drive. It follows a sequence of tasks to detect such files, analyze their locations, and remove the "anyone with link" permission to enhance data security.
Reco Build String Message	Build a string message from list of files (file name, link)
Reco-Google-Drive-Revoke-Permissions	This workflow enables you to easily list the permissions of files stored in Google Drive, giving you visibility into who has access to your organization's data. If a file's permission is publicly exposed, the workflow restricts access to the file to prevent unauthorized use. Similarly, if a file's permission is set to accessible by all org users and shared with internal users, access to the file is restricted to authorized users only. Using the Google Drive API and built-in conditional logic, this workflow helps you secure sensitive data and streamline your organization's data management.

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Google Drive	By: Cortex XSOAR
Slack	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Google Drive	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Slack	By: Cortex XSOAR

1.2.1 - 934602 (April 4, 2024)

Integrations

Reco

Updated the validate api key to use the new Reco API key validation endpoint.

Related pull requests:
- 33659
- 33744

Download

1.2.0 - R762016 (January 14, 2024)

Integrations

Reco

Added the reco-get-user-context-by-email-address command to get user context by email address.
Updated the Docker image to: demisto/python3:3.10.13.80593.

Related pull requests:
- 30963
- 30720

Download

1.1.7 - 6693172 (October 24, 2023)

Integrations

Reco

Updated the Docker image to: demisto/python3:3.10.13.78960.
Updated the URL endpoint to the new alerts endpoint in commands:
- reco-change-alert-status
- fetch_incidents

Related pull requests:
- 30356
- 30204

Download

1.1.6 - 6122748 (August 22, 2023)

Integrations

Reco

Updated the Docker image to: demisto/python3:3.10.12.68714.
Breaking Changes: file_id was replaced with asset_id.

Related pull requests:
- 29124
- 29086

Download

1.1.5 - 5980752 (August 7, 2023)

Integrations

Reco

Added the reco-change-alert-status command - change alert status.
Updated the Docker image to: demisto/python3:3.10.12.67728.

Related pull requests:
- 28798
- 28719

Download

1.1.4 - 5866730 (July 25, 2023)

Integrations

Reco

Add reco-add-exclusion-filter command - add exclusion filter to the exclusion list.
Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 28477
- 28436

Download

1.1.3 - R5801668 (July 18, 2023)

Integrations

Reco

Change validate api key endpoint
Fixed the fetch incidents to use try except for safety.
Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27731
- 27767

Download

1.1.2 - 5465590 (June 7, 2023)

Integrations

Reco

Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27266

Download

1.1.1 - 5356324 (May 24, 2023)

Integrations

Reco

Added the following commands:
- reco-get-sensitive-assets-with-public-link
- reco-get-3rd-parties-accessible-to-data-list
- reco-get-files-shared-with-3rd-parties
Updated the Docker image to: demisto/python3:3.10.11.59581.

Playbooks

New: Reco - Reduce Risk - Google Publicly Exposed Files

Playbook to remove public access from Google Drive files

Related pull requests:
- 26703

Download

1.1.0 - 5262746 (May 14, 2023)

Integrations

Reco

Get new type of alerts
Get magic link to Reco portal
Updated the Docker image to: demisto/python3:3.10.11.58677.

Related pull requests:
- 26469
- 26342

Download

1.0.4 - R5170573 (May 2, 2023)

Integrations

Reco

Updated the Docker image to: demisto/python3:3.10.11.55362.
Added the reco-get-sensitive-assets-by-id command.

Related pull requests:
- 26106
- 26059

Download

PUBLISHER

Reco

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	February 14, 2023
Last Release	April 4, 2024

Asset Management

Identity And Access Management

Breach Notification

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.