Details
Content
Dependencies
Version History

Reco is the leader in Dynamic SaaS Security — the only approach that eliminates the SaaS Security Gap (the growing gap between what you can protect and what’s outpacing your security).

Reco

Reco is the leader in Dynamic SaaS Security — eliminating the SaaS Security Gap driven by app proliferation, AI infiltration, constant configuration changes, identity sprawl, and hidden threats.

The Reco and Palo Alto Networks Cortex XSOAR integration automates SaaS threat detection and remediation workflows, integrating with 985+ Cortex XSOAR content packs.

What does this pack do?

Assess 400+ configuration rules across your SaaS landscape
Access data risk alerts and AI-powered summaries
Trigger automatic remediation for misconfigurations
Tag risky employees and leverage prebuilt playbooks

Benefits

Gain visibility into SaaS misconfigurations
Streamline detection and automate remediation
Respond faster to critical alerts
Reduce manual effort while meeting compliance requirements

Key Commands

reco-add-comment-to-alert
reco-update-incident-timeline
resolve-visibility-event
reco-get-risky-users
reco-add-risky-user-label
reco-get-assets-user-has-access-to
reco-add-leaving-org-user-label
reco-get-sensitive-assets-by-name
reco-get-sensitive-assets-by-id
reco-get-files-shared-with-3rd-parties
reco-get-3rd-parties-accessible-to-data-list
reco-get-sensitive-assets-with-public-link
reco-get-user-context-by-email-address
reco-get-private-email-list-with-access
reco-get-alert-ai-summary

For more information: www.reco.ai

Reco Overview

Reco

Reco is the leader in Dynamic SaaS Security — eliminating the SaaS Security Gap driven by app proliferation, AI infiltration, constant configuration changes, identity sprawl, and hidden threats.

The Reco and Palo Alto Networks Cortex integration automates SaaS threat detection and remediation workflows, integrating with 985+ Cortex content packs.

What does this pack do?

Assess 400+ configuration rules across your SaaS landscape
Access data risk alerts and AI-powered summaries
Trigger automatic remediation for misconfigurations
Tag risky employees and leverage prebuilt playbooks

Benefits

Gain visibility into SaaS misconfigurations
Streamline detection and automate remediation
Respond faster to critical alerts
Reduce manual effort while meeting compliance requirements

Key Commands

reco-add-comment-to-alert
reco-update-incident-timeline
resolve-visibility-event
reco-get-risky-users
reco-add-risky-user-label
reco-get-assets-user-has-access-to
reco-add-leaving-org-user-label
reco-get-sensitive-assets-by-name
reco-get-sensitive-assets-by-id
reco-get-files-shared-with-3rd-parties
reco-get-3rd-parties-accessible-to-data-list
reco-get-sensitive-assets-with-public-link
reco-get-user-context-by-email-address
reco-get-private-email-list-with-access
reco-get-alert-ai-summary

For more information: www.reco.ai

Reco Overview

Classifiers

Name	Description
Reco Incident Mapper

Incident Types

Name	Description
SaaS Data Leakage

Integrations

Name	Description
Reco (Partner Contribution)	Reco is a Saas data security solution that protects your data from accidental leaks and malicious attacks.

Layouts

Name	Description
Reco Finding

Playbooks

Name	Description
Reco Build String Message	Build a string message from list of files (file name, link)
Reco-Google-Drive-Revoke-Permissions	This workflow enables you to easily list the permissions of files stored in Google Drive, giving you visibility into who has access to your organization's data. If a file's permission is publicly exposed, the workflow restricts access to the file to prevent unauthorized use. Similarly, if a file's permission is set to accessible by all org users and shared with internal users, access to the file is restricted to authorized users only. Using the Google Drive API and built-in conditional logic, this workflow helps you secure sensitive data and streamline your organization's data management.
Reco Google Drive Automation	Automate Google Drive alert remediation with our solution that revokes over-access permissions and shares file details and links with end-users via Slack. Reco workflow seamlessly integrates with Palo Alto Networks' Demisto platform to resolve the alert and streamline your organization's security operations. By automating remediation, you can ensure that sensitive data is protected and that end-users are promptly notified of any changes to their file access. With our solution, you can close alerts in Demisto and improve your organization's security posture with minimal effort.
Reco - Reduce Risk - Google Publicly Exposed Files	The "Reco - Reduce Risk - Google Publicly Exposed Files" playbook aims to identify and mitigate the risk associated with publicly exposed sensitive files on Google Drive. It follows a sequence of tasks to detect such files, analyze their locations, and remove the "anyone with link" permission to enhance data security.

Classifiers

Name	Description
Reco Incident Mapper

Incident Types

Name	Description
SaaS Data Leakage

Integrations

Name	Description
Reco (Partner Contribution)	Reco is a Saas data security solution that protects your data from accidental leaks and malicious attacks.

Playbooks

Name	Description
Reco - Reduce Risk - Google Publicly Exposed Files	The "Reco - Reduce Risk - Google Publicly Exposed Files" playbook aims to identify and mitigate the risk associated with publicly exposed sensitive files on Google Drive. It follows a sequence of tasks to detect such files, analyze their locations, and remove the "anyone with link" permission to enhance data security.
Reco Google Drive Automation	Automate Google Drive alert remediation with our solution that revokes over-access permissions and shares file details and links with end-users via Slack. Reco workflow seamlessly integrates with Palo Alto Networks' Demisto platform to resolve the alert and streamline your organization's security operations. By automating remediation, you can ensure that sensitive data is protected and that end-users are promptly notified of any changes to their file access. With our solution, you can close alerts in Demisto and improve your organization's security posture with minimal effort.
Reco Build String Message	Build a string message from list of files (file name, link)
Reco-Google-Drive-Revoke-Permissions	This workflow enables you to easily list the permissions of files stored in Google Drive, giving you visibility into who has access to your organization's data. If a file's permission is publicly exposed, the workflow restricts access to the file to prevent unauthorized use. Similarly, if a file's permission is set to accessible by all org users and shared with internal users, access to the file is restricted to authorized users only. Using the Google Drive API and built-in conditional logic, this workflow helps you secure sensitive data and streamline your organization's data management.

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Google Drive	By: Cortex XSOAR
Slack	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

All level dependencies (7)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Slack	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Google Drive	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR

1.7.5 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

1.7.4 - 7685745 (March 15, 2026)

Integrations

Reco

Fixed an issue where posture check alerts were incorrectly ingested as incidents. The integration now queries the same filtered alerts view used by the Reco UI, which excludes posture policy alerts.
Updated the Docker image to: demisto/python3:3.12.13.7444307.

Related pull requests:
- 43536
- 43395

Download

1.7.3 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.7.2 - 5591931 (October 27, 2025)

Integrations

Reco

Updated incident processing to only handle alerts, removing the dual incidents + alerts fetching logic.
Cleaned up unused constants and test methods related to incident asset management.
Fixed timeline update functionality to use the correct API endpoint (/share-service/share-comment instead of /incident-timeline).

Related pull requests:
- 41484
- 41649

Download

1.7.1 - R5469292 (October 20, 2025)

Integrations

Reco

Removing get_incident unused methods and constants.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40844
- 40778

Download

1.7.0 - R3999233 (June 29, 2025)

Integrations

Reco

Added the reco-get-apps command to retrieve app discovery data from Reco with full pagination support.
Added the reco-set-app-authorization-status command to set app status.
Enhanced app discovery functionality to fetch all available applications across multiple pages.
Added date filtering capabilities (before/after) for app discovery queries.
Updated pack keywords to include "app discovery" and "application security".

Related pull requests:
- 40266
- 40369

Download

1.6.1 - R3980324 (June 26, 2025)

Integrations

Reco

Added support for the 'Preference Center' feature for selected commands.

Related pull requests:
- 40192

Download

1.6.0 - 3720941 (June 10, 2025)

Integrations

Reco

Updated the fetch last run logic.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40182
- 40217

Download

1.5.6 - R3414854 (May 15, 2025)

Integrations

Reco

Added the reco-get-alert-ai-summary command.
Updated description.
Update the docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39262
- 39564

Download

1.5.5 - R2989425 (March 26, 2025)

Integrations

Reco

Metadata and documentation improvements.

Related pull requests:
- 39564
- 39416
- 39262
- 39408

Download

1.7.5 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

1.7.4 - 7685745 (March 15, 2026)

Integrations

Reco

Fixed an issue where posture check alerts were incorrectly ingested as incidents. The integration now queries the same filtered alerts view used by the Reco UI, which excludes posture policy alerts.
Updated the Docker image to: demisto/python3:3.12.13.7444307.

Related pull requests:
- 43536
- 43395

Download

1.7.3 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.7.2 - 5591931 (October 27, 2025)

Integrations

Reco

Updated incident processing to only handle alerts, removing the dual incidents + alerts fetching logic.
Cleaned up unused constants and test methods related to incident asset management.
Fixed timeline update functionality to use the correct API endpoint (/share-service/share-comment instead of /incident-timeline).

Related pull requests:
- 41484
- 41649

Download

1.7.1 - R5469292 (October 20, 2025)

Integrations

Reco

Removing get_incident unused methods and constants.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40844
- 40778

Download

1.7.0 - R3999233 (June 29, 2025)

Integrations

Reco

Added the reco-get-apps command to retrieve app discovery data from Reco with full pagination support.
Added the reco-set-app-authorization-status command to set app status.
Enhanced app discovery functionality to fetch all available applications across multiple pages.
Added date filtering capabilities (before/after) for app discovery queries.
Updated pack keywords to include "app discovery" and "application security".

Related pull requests:
- 40266
- 40369

Download

1.6.1 - R3980324 (June 26, 2025)

Integrations

Reco

Added support for the 'Preference Center' feature for selected commands.

Related pull requests:
- 40192

Download

1.6.0 - 3720941 (June 10, 2025)

Integrations

Reco

Updated the fetch last run logic.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40182
- 40217

Download

1.5.6 - R3414854 (May 15, 2025)

Integrations

Reco

Added the reco-get-alert-ai-summary command.
Updated description.
Update the docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39262
- 39564

Download

1.5.5 - R2989425 (March 26, 2025)

Integrations

Reco

Metadata and documentation improvements.

Related pull requests:
- 39564
- 39416
- 39262
- 39408

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	February 14, 2023
Last Release	March 22, 2026

Asset Management

Identity And Access Management

Breach Notification

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.