Details
Content
Dependencies
Version History

Reco is the leader in Dynamic SaaS Security — the only approach that eliminates the SaaS Security Gap (the growing gap between what you can protect and what’s outpacing your security).

Reco

Reco is the leader in Dynamic SaaS Security — eliminating the SaaS Security Gap driven by app proliferation, AI infiltration, constant configuration changes, identity sprawl, and hidden threats.

The Reco and Palo Alto Networks Cortex XSOAR integration automates SaaS threat detection and remediation workflows, integrating with 985+ Cortex XSOAR content packs.

What does this pack do?

Assess 400+ configuration rules across your SaaS landscape
Access data risk alerts and AI-powered summaries
Trigger automatic remediation for misconfigurations
Tag risky employees and leverage prebuilt playbooks

Benefits

Gain visibility into SaaS misconfigurations
Streamline detection and automate remediation
Respond faster to critical alerts
Reduce manual effort while meeting compliance requirements

Key Commands

update-reco-incident-timeline
resolve-visibility-event
reco-get-risky-users
reco-add-risky-user-label
reco-get-assets-user-has-access-to
reco-add-leaving-org-user-label
reco-get-sensitive-assets-by-name
reco-get-sensitive-assets-by-id
reco-get-files-shared-with-3rd-parties
reco-get-3rd-parties-accessible-to-data-list
reco-get-sensitive-assets-with-public-link
reco-get-user-context-by-email-address
reco-get-private-email-list-with-access
reco-get-alert-ai-summary

For more information: www.reco.ai

Reco Overview

Reco

Reco is the leader in Dynamic SaaS Security — eliminating the SaaS Security Gap driven by app proliferation, AI infiltration, constant configuration changes, identity sprawl, and hidden threats.

The Reco and Palo Alto Networks Cortex integration automates SaaS threat detection and remediation workflows, integrating with 985+ Cortex content packs.

What does this pack do?

Assess 400+ configuration rules across your SaaS landscape
Access data risk alerts and AI-powered summaries
Trigger automatic remediation for misconfigurations
Tag risky employees and leverage prebuilt playbooks

Benefits

Gain visibility into SaaS misconfigurations
Streamline detection and automate remediation
Respond faster to critical alerts
Reduce manual effort while meeting compliance requirements

Key Commands

update-reco-incident-timeline
resolve-visibility-event
reco-get-risky-users
reco-add-risky-user-label
reco-get-assets-user-has-access-to
reco-add-leaving-org-user-label
reco-get-sensitive-assets-by-name
reco-get-sensitive-assets-by-id
reco-get-files-shared-with-3rd-parties
reco-get-3rd-parties-accessible-to-data-list
reco-get-sensitive-assets-with-public-link
reco-get-user-context-by-email-address
reco-get-private-email-list-with-access
reco-get-alert-ai-summary

For more information: www.reco.ai

Reco Overview

Classifiers

Name	Description
Reco Incident Mapper

Incident Types

Name	Description
SaaS Data Leakage

Integrations

Name	Description
Reco (Partner Contribution)	Reco is a Saas data security solution that protects your data from accidental leaks and malicious attacks.

Layouts

Name	Description
Reco Finding

Playbooks

Name	Description
Reco-Google-Drive-Revoke-Permissions	This workflow enables you to easily list the permissions of files stored in Google Drive, giving you visibility into who has access to your organization's data. If a file's permission is publicly exposed, the workflow restricts access to the file to prevent unauthorized use. Similarly, if a file's permission is set to accessible by all org users and shared with internal users, access to the file is restricted to authorized users only. Using the Google Drive API and built-in conditional logic, this workflow helps you secure sensitive data and streamline your organization's data management.
Reco - Reduce Risk - Google Publicly Exposed Files	The "Reco - Reduce Risk - Google Publicly Exposed Files" playbook aims to identify and mitigate the risk associated with publicly exposed sensitive files on Google Drive. It follows a sequence of tasks to detect such files, analyze their locations, and remove the "anyone with link" permission to enhance data security.
Reco Google Drive Automation	Automate Google Drive alert remediation with our solution that revokes over-access permissions and shares file details and links with end-users via Slack. Reco workflow seamlessly integrates with Palo Alto Networks' Demisto platform to resolve the alert and streamline your organization's security operations. By automating remediation, you can ensure that sensitive data is protected and that end-users are promptly notified of any changes to their file access. With our solution, you can close alerts in Demisto and improve your organization's security posture with minimal effort.
Reco Build String Message	Build a string message from list of files (file name, link)

Classifiers

Name	Description
Reco Incident Mapper

Incident Types

Name	Description
SaaS Data Leakage

Integrations

Name	Description
Reco (Partner Contribution)	Reco is a Saas data security solution that protects your data from accidental leaks and malicious attacks.

Playbooks

Name	Description
Reco-Google-Drive-Revoke-Permissions	This workflow enables you to easily list the permissions of files stored in Google Drive, giving you visibility into who has access to your organization's data. If a file's permission is publicly exposed, the workflow restricts access to the file to prevent unauthorized use. Similarly, if a file's permission is set to accessible by all org users and shared with internal users, access to the file is restricted to authorized users only. Using the Google Drive API and built-in conditional logic, this workflow helps you secure sensitive data and streamline your organization's data management.
Reco - Reduce Risk - Google Publicly Exposed Files	The "Reco - Reduce Risk - Google Publicly Exposed Files" playbook aims to identify and mitigate the risk associated with publicly exposed sensitive files on Google Drive. It follows a sequence of tasks to detect such files, analyze their locations, and remove the "anyone with link" permission to enhance data security.
Reco Build String Message	Build a string message from list of files (file name, link)
Reco Google Drive Automation	Automate Google Drive alert remediation with our solution that revokes over-access permissions and shares file details and links with end-users via Slack. Reco workflow seamlessly integrates with Palo Alto Networks' Demisto platform to resolve the alert and streamline your organization's security operations. By automating remediation, you can ensure that sensitive data is protected and that end-users are promptly notified of any changes to their file access. With our solution, you can close alerts in Demisto and improve your organization's security posture with minimal effort.

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Google Drive	By: Cortex XSOAR
Slack	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Google Drive	By: Cortex XSOAR
Slack	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

1.5.6 - 3133732 (April 14, 2025)

Integrations

Reco

Added the reco-get-alert-ai-summary command.
Updated description.
Update the docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39262
- 39564

Download

1.5.5 - R2989425 (March 26, 2025)

Integrations

Reco

Metadata and documentation improvements.

Related pull requests:
- 39564
- 39416
- 39262
- 39408

Download

1.5.4 - 1989294 (January 14, 2025)

Integrations

Reco

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.11.1940698.

Related pull requests:
- 38077

Download

1.5.3 - R1977897 (January 13, 2025)

Integrations

Reco

Change timeout to 180 seconds for all commands.
Change EP for asset management to query. This EP performs a query on the assets and returns the results faster than the previous EP.

Related pull requests:
- 37583
- 37550

Download

1.5.1 - R1709192 (November 26, 2024)

Integrations

Reco

Add Support to tag risky users with identities and not accounts.
Fix reco-get-risky-users command to return the correct output.
Fix reco-get-assets-user-has-access-to command to return the correct output.

Related pull requests:
- 37316
- 37334

Download

1.5.0 - 1309186 (August 26, 2024)

Integrations

Reco

Added the reco-get-assets-by-id command to get assets by id.
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 35971
- 35951

Download

1.4.0 - 1066075 (June 3, 2024)

Integrations

Reco

Fix get-3rd-parties-list ep to use the new ep
Add new command reco-get-private-email-list-with-access

Related pull requests:
- 34627
- 34674

Download

1.3.0 - 1002031 (May 7, 2024)

Integrations

Reco

Added the reco-get-files-exposed-to-email-address command to get files exposed to email address.
Added the reco-get-assets-shared-externally command to get files exposed to email address.
Updated the Docker image to: demisto/python3:3.10.14.92207.

Related pull requests:
- 34238
- 34122

Download

1.5.6 - 3133732 (April 14, 2025)

Integrations

Reco

Added the reco-get-alert-ai-summary command.
Updated description.
Update the docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39262
- 39564

Download

1.5.5 - R2989425 (March 26, 2025)

Integrations

Reco

Metadata and documentation improvements.

Related pull requests:
- 39564
- 39416
- 39262
- 39408

Download

1.5.4 - 1989294 (January 14, 2025)

Integrations

Reco

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.11.1940698.

Related pull requests:
- 38077

Download

1.5.3 - R1977897 (January 13, 2025)

Integrations

Reco

Change timeout to 180 seconds for all commands.
Change EP for asset management to query. This EP performs a query on the assets and returns the results faster than the previous EP.

Related pull requests:
- 37583
- 37550

Download

1.5.1 - R1709192 (November 26, 2024)

Integrations

Reco

Add Support to tag risky users with identities and not accounts.
Fix reco-get-risky-users command to return the correct output.
Fix reco-get-assets-user-has-access-to command to return the correct output.

Related pull requests:
- 37316
- 37334

Download

1.5.0 - 1309186 (August 26, 2024)

Integrations

Reco

Added the reco-get-assets-by-id command to get assets by id.
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 35971
- 35951

Download

1.4.0 - 1066075 (June 3, 2024)

Integrations

Reco

Fix get-3rd-parties-list ep to use the new ep
Add new command reco-get-private-email-list-with-access

Related pull requests:
- 34627
- 34674

Download

1.3.0 - 1002031 (May 7, 2024)

Integrations

Reco

Added the reco-get-files-exposed-to-email-address command to get files exposed to email address.
Added the reco-get-assets-shared-externally command to get files exposed to email address.
Updated the Docker image to: demisto/python3:3.10.14.92207.

Related pull requests:
- 34238
- 34122

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	February 14, 2023
Last Release	April 14, 2025

Asset Management

Identity And Access Management

Breach Notification

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.