Introduction
Our product includes a variety of built-in posture checks that scan the configurations of integrated SaaS applications to ensure they align with best practices, helping organization SaaS security posture.
The Posture Studio empowers Reco users to create custom posture checks in addition to the out of the box checks.
Overview
Before creating a posture check, ensure that the SaaS app you want to configure the check for is already integrated.
Once the check is saved, it takes up to 24 hours until the check will run and the results will be available.
Only custom posture checks can be edited. Out of the box checks are read only.
How to create a new posture check
Click on Posture Checks --> New Posture Check
Fill the following 4 steps in the Posture Studio to create a new check:
About: define the meta data for the new check
Name
Description
Security Domain - select one of the 8 supported security domains
Severity - the score of the check depends on the the check severity.
Remediation
Extraction: select a relevant source for the check. Each app typically has multiple extraction sources available. You can click the "Preview Response" button next to the chosen extraction source to view a sample API JSON response.
Entities: there are two types of posture checks: global checks and entity-specific checks.
Global Checks apply to settings that affect the entire app. For instance, the "Zoom - Host Can Delete Cloud Recordings" check verifies if the option allowing hosts to delete recordings is enabled. This setting impacts all Zoom users, making it a global check.
Entity-Specific Checks monitor individual entities, like accounts. For example, a check for "Accounts Without MFA" evaluates each account separately, allowing some accounts to pass while others may fail. The score for this type of check is determined by the check severity, but also by the percentage of entities that pass out of the total number of entities evaluated.
If the check you’re creating is a global check, you can skip this step. If it's an entity-specific check, define the relevant entity here. First, select the entity you wish to evaluate using our query builder (see the next section), then choose a unique identifier for that entity. For instance, in a user-type entity, the unique identifier is typically an email or user ID.
Conditions: in this step, define all conditions that must be met for the check to fail. Refer to the next section for guidance on building conditions with our query builder.
Adjust the Threshold field only if needed to set the minimum number of entities that would trigger a failure for this check. For example, if the check aims to ensure there are no more than four admins in the app, set this value to 4.
Click Save to save the check. The Save button will only be enabled once all mandatory fields are completed. While it's disabled, you can hover over it to see which fields are still missing for the check to be valid.
How to work with query builder
When you click on the "Type JSONata Path" tab, the proprietary query builder opens with the selected JSON. Our JSON files have two root nodes: payload and enriched. The payload section contains raw data as received from the endpoint, while the enriched section includes data enriched by Reco analysis.
In the INPUT section of the query builder, select the relevant path within the JSON. Once a path is chosen, the value type is automatically identified, and applicable operators will be displayed.
To add a custom expression, type it in quotation marks ("") and concatenate it to the selected JSON path using "&" between them.
Use the "+ AND" button to add multiple conditions, combining them with an AND operator.
