Skip to main content

Reco

This Integration is part of the Reco Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Reco is a Saas data security solution that protects your data from accidental leaks and malicious attacks. This integration was integrated and tested with version 2023.34.0 of Reco.

Configure Reco on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Reco.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL (e.g. https://host.reco.ai/api/v1)True
    JWT app tokenTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Incident typeFalse
    Fetch incidentsFalse
    Max fetchFalse
    SourceIncidents SaaS SourceFalse
    BeforeCreated At time before which incidents will be fetchedFalse
    AfterCreated At time after which incidents will be fetchedFalse
    Risk levelRisk level of the incidents to fetchFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

reco-add-exclusion-filter#


Add exclusion filter to Reco Classifier

Base Command#

reco-add-exclusion-filter

Input#

Argument NameDescriptionRequired
values_to_addValues to add to the exclusion filter (split by ',').Required
key_to_addkey too add to the exclusion filter (e.g. "CASE_SENSITIVE_TERMS", "LOCATION_CASE_INSENSITIVE_TERMS", "OWNERS", "FILE_IDS", "LOCATIONS").Required

Context Output#

There is no context output for this command.

reco-update-incident-timeline#


Add a comment to an incident in Reco

Base Command#

reco-update-incident-timeline

Input#

Argument NameDescriptionRequired
commentComment to add to the incident.Required
incident_idIncident ID to add the comment to.Required

Context Output#

There is no context output for this command.

reco-resolve-visibility-event#


Resolve an event in Reco Finding. Reco Findings contains aggregations of events. This command resolves the event in the Reco Finding.

Base Command#

reco-resolve-visibility-event

Input#

Argument NameDescriptionRequired
entity_identity id of the file to resolve.Required
label_namelabel name to resolve (e.g. "Accessible to All Org Users", "Accessible by General Public").Required

Context Output#

There is no context output for this command.

reco-get-risky-users#


Get Risky Users from Reco

Base Command#

reco-get-risky-users

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Reco.RiskyUsersunknownRisky Users

reco-add-risky-user-label#


Tag a user as risky in Reco

Base Command#

reco-add-risky-user-label

Input#

Argument NameDescriptionRequired
email_addressEmail address of the user to add to the risky users list in Reco.Required

Context Output#

There is no context output for this command.

reco-get-assets-user-has-access-to#


Get all files user has access to from Reco

Base Command#

reco-get-assets-user-has-access-to

Input#

Argument NameDescriptionRequired
email_addressEmail address of the user.Required
only_sensitiveReturn only sensitive assets owned by this user.Optional

Context Output#

PathTypeDescription
Reco.AssetsunknownAssets user has access to

reco-add-leaving-org-user-label#


Tag a user as leaving org user in Reco

Base Command#

reco-add-leaving-org-user-label

Input#

Argument NameDescriptionRequired
email_addressEmail address of the user to tag as levaing org user.Required

Context Output#

There is no context output for this command.

reco-get-sensitive-assets-by-name#


Get all sensitive assets from Reco by name

Base Command#

reco-get-sensitive-assets-by-name

Input#

Argument NameDescriptionRequired
asset_nameAsset name to search for.Required
regex_searchReturn only sensitive assets owned by this user.Optional

Context Output#

There is no context output for this command.

reco-get-sensitive-assets-by-id#


Get all sensitive assets from Reco by id

Base Command#

reco-get-sensitive-assets-by-id

Input#

Argument NameDescriptionRequired
asset_idAsset id to search for.Required

Context Output#

PathTypeDescription
Reco.SensitiveAssets.file_nameStringThe name of the asset
Reco.SensitiveAssets.file_ownerStringThe owner of the asset
Reco.SensitiveAssets.file_urlUnknownJson string of the asset's url and the name
Reco.SensitiveAssets.currently_permitted_usersStringList of currently permitted users
Reco.SensitiveAssets.visibilityStringVisibility of the asset
Reco.SensitiveAssets.locationStringThe path of the asset
Reco.SensitiveAssets.sourceStringSaaS tool source of the asset
Reco.SensitiveAssets.sensitivity_levelNumberThe sensitivity level of the asset

reco-get-link-to-user-overview-page#


Generate a magic link for reco UI (overview page)

Base Command#

reco-get-link-to-user-overview-page

Input#

Argument NameDescriptionRequired
entityEntity Type (RM_LINK_TYPE_USER).Required
paramEntity ID (user email).Optional

Context Output#

There is no context output for this command.

reco-get-3rd-parties-accessible-to-data-list#


Get 3rd parties accessible to sensitive assets

Base Command#

reco-get-3rd-parties-accessible-to-data-list

Input#

Argument NameDescriptionRequired
last_interaction_time_in_daysLast interaction time in days.Required

Context Output#

PathTypeDescription
Reco.Domains.domainStringThe domain of the 3rd party
Reco.Domains.last_activityStringThe last interaction time with the 3rd party
Reco.Domains.files_numNumberThe number of files the 3rd party has access to
Reco.Domains.users_with_access_numNumberThe number of users the 3rd party has access to

reco-get-sensitive-assets-with-public-link#


Get all sensitive assets with public link from Reco

Base Command#

reco-get-sensitive-assets-with-public-link

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Reco.Assets.asset_idStringThe asset id
Reco.Assets.assetUnknownJson string of the asset's url and the name
Reco.Assets.data_categoryStringThe data category of the asset
Reco.Assets.data_categoriesStringThe data categories of the asset
Reco.SensitiveAssets.locationStringThe path of the asset
Reco.SensitiveAssets.sourceStringSaaS tool source of the asset
Reco.Assets.last_access_dateStringThe last access date of the asset

reco-get-files-shared-with-3rd-parties#


Get files shared with 3rd parties

Base Command#

reco-get-files-shared-with-3rd-parties

Input#

Argument NameDescriptionRequired
last_interaction_time_in_daysLast interaction time in days.Required
domainDomain to search.Required

Context Output#

PathTypeDescription
Reco.Assets.asset_idStringThe asset id of the file
Reco.Assets.locationStringThe location of the file
Reco.Assets.usersStringUsers the file is shared with
Reco.Assets.file_ownerStringFile Owner
Reco.Assets.assetUnknownThe asset metadata
Reco.Assets.data_categoryStringThe data category of the assets the 3rd party has access to
Reco.Assets.last_access_dateStringThe last access date of the asset
Reco.Assets.domainStringThe domain of the 3rd party

reco-change-alert-status#


update alert status in Reco

Base Command#

reco-change-alert-status

Input#

Argument NameDescriptionRequired
alert_idalert id to get.Required
statusstatus to set the alert to (e.g. "ALERT_STATUS_NEW", "ALERT_STATUS_IN_PROGRESS", "ALERT_STATUS_CLOSED"). Possible values are: ALERT_STATUS_NEW, ALERT_STATUS_IN_PROGRESS, ALERT_STATUS_CLOSED.Required

Context Output#

There is no context output for this command.

reco-get-user-context-by-email-address#


Get user context by email address from Reco.

Base Command#

reco-get-user-context-by-email-address

Input#

Argument NameDescriptionRequired
email_addressuser email address.Required

Context Output#

PathTypeDescription
Reco.User.email_accountStringThe email of the user.
Reco.User.departmentsStringUser departments.
Reco.User.job_titlesStringJob Title.
Reco.User.categoryStringCategory.
Reco.User.groupsStringThe groups user is member of.
Reco.User.full_nameStringThe user full name.
Reco.User.labelsUnknownUser Labels.

reco-get-files-exposed-to-email-address#


Get files exposed to a specific email address

Base Command#

reco-get-files-exposed-to-email-address

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Reco.Assets.asset_idStringThe asset id
Reco.Assets.assetUnknownJson string of the asset's url and the name
Reco.Assets.data_categoryStringThe data category of the asset
Reco.Assets.data_categoriesStringThe data categories of the asset
Reco.Assets.locationStringThe path of the asset.
Reco.Assets.sourceStringSaaS tool source of the asset.
Reco.Assets.last_access_dateStringThe last access date of the asset
Reco.Assets.email_accountStringThe last access date of the asset
Reco.Assets.file_ownerStringSaaS tool source of the asset

reco-get-assets-shared-externally#


Get files exposed to a specific email address

Base Command#

reco-get-assets-shared-externally

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Reco.Assets.asset_idStringThe asset id
Reco.Assets.assetUnknownJson string of the asset's url and the name
Reco.Assets.data_categoryStringThe data category of the asset
Reco.Assets.data_categoriesStringThe data categories of the asset
Reco.SensitiveAssets.locationStringThe path of the asset
Reco.SensitiveAssets.sourceStringSaaS tool source of the asset
Reco.Assets.last_access_dateStringThe last access date of the asset
Reco.Assets.file_ownerStringSaaS tool source of the asset

reco-get-private-email-list-with-access#


Get private email list with access

Base Command#

reco-get-private-email-list-with-access

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Reco.privateEmails.email_accountStringThe email account
Reco.privateEmails.primary_emailStringThe primary email account
Reco.privateEmails.files_numStringNumber of files
Reco.privateEmails.user_categoryStringThe category of the user

reco-get-assets-by-id#


Get all assets from Reco by id

Base Command#

reco-get-assets-by-id

Input#

Argument NameDescriptionRequired
asset_idAsset id to search for.Required

Context Output#

PathTypeDescription
Reco.SensitiveAssets.file_nameStringThe name of the asset
Reco.SensitiveAssets.file_ownerStringThe owner of the asset
Reco.SensitiveAssets.file_urlUnknownJson string of the asset's url and the name
Reco.SensitiveAssets.currently_permitted_usersStringList of currently permitted users
Reco.SensitiveAssets.visibilityStringVisibility of the asset
Reco.SensitiveAssets.locationStringThe path of the asset
Reco.SensitiveAssets.sourceStringSaaS tool source of the asset
Reco.SensitiveAssets.sensitivity_levelNumberThe sensitivity level of the asset