Skip to main content
All CollectionsInformation Center
Quick Guide to Policies in Reco
Quick Guide to Policies in Reco
Reco Product Management avatar
Written by Reco Product Management
Updated over 2 months ago

Welcome to the Reco Policy Center guide, where we dive into the powerful capabilities of Reco's policy management system. This system is designed to help organizations monitor and enforce security and compliance across their SaaS applications. Let's explore how you can leverage Reco's policies to safeguard your digital environment.

Understanding the Policy Center

The Policy Center is your hub for viewing and managing the security policies applied across your SaaS applications. It provides a comprehensive view of which policies are active, allowing you to ensure your organization's security and compliance posture is robust and up-to-date. The Policy Center also enables the creation of custom policies.

Key Features of Reco Policies

Broad Range of Out-of-the-Box Policies

Reco offers an extensive array of pre-defined policies covering various categories such as:

  • Misconfigurations

  • Third-party risk

  • Application governance

  • Configuration drifts

  • Insider risk

These policies are designed to address common and emerging threats, providing a solid foundation for your security strategy across different SaaS platforms.

Policy Details and Management

When you select a policy within the Policy Center, you'll be presented with detailed information, including:

  • Policy Description: Understand what the policy targets, its purpose, and how it protects your organization.

  • Labels: See the categories or initiatives the policy is associated with, such as Mitre Attack, helping you align with broader security frameworks.

  • Policy State: Check whether the policy is active (on), inactive (off), or in preview mode.

  • Matching Alerts: Access links to alerts triggered by policy violations, offering insights into specific occurrences and impacted areas.

  • Rules Logic: Review the underlying logic that defines the policy, understanding how it detects potential threats.

  • Notification Options: Customize how you receive notifications (via email or Slack) when a policy is triggered. For detailed guidance on setting up notifications, visit our real-time notification system setup guide.

Alert Generation and Review

Once a policy is activated, it will begin monitoring for compliance. Any violations will trigger alerts, which you can review on the Alerts page. This feature enables you to quickly identify and respond to potential security issues, maintaining your organization's integrity.

How to Create a Custom Policy

  1. Click on Policy Center --> New Policy

  2. Fill the following 4 steps in the Policy Studio to create a new policy:

    1. About: define the meta data for the new check

      1. Name

      2. Description

      3. Status - We recommend setting the initial status to "Preview." This will ensure that all alerts generated by this policy are in "Preview" status, allowing you to monitor the newly created policy. Once you've validated that the alerts are accurate, you can change the status to "On."

      4. Severity

      5. Remediation

    1. Extraction: select a relevant source for the check. Each app typically has multiple extraction sources available. You can click the "Preview Response" button next to the chosen extraction source to view a sample API JSON response.


    2. Conditions: in this step, define all conditions that must be met by the event to become a violation. Refer to the next section for guidance on building conditions with our query builder.


    3. Aggregation: This section will define how violations are grouped into alerts. For example, for a policy on extensive file downloads, we may want to generate an alert for every X number of download violations.

      1. Indicator - Here, we define an indicator that will be used to aggregate violations into a single alert. Typically, this will be a user’s email or ID, as we want to create a separate alert for each individual actor.

      2. Distinction Indicator - A set of unique identifiers that qualify as a violation. For example, in a file download policy, this would likely be a combination of file ID and user ID, as repeated downloads of the same file by the same user within a defined time period should not be counted as new violations.

      3. Time Period + Threshold - The time period in hours over which the threshold is calculated. If the threshold is met within this time period, a violation will be yielded.In this example, an alert will be created for every 5 violations that occur within a 14-hour period.

      4. Alert Description - This JSONata expression is used to generate the description of the alert.

  3. Click Save to save the check. The Save button will only be enabled once all mandatory fields are completed. While it's disabled, you can hover over it to see which fields are still missing for the check to be valid. Once created, custom policies can be edited and deleted.

    How to work with query builder

    • When you click on the "Type JSONata Path" tab, the proprietary query builder opens with the selected JSON. Our JSON files have two root nodes: payload and enriched. The payload section contains raw data as received from the endpoint, while the enriched section includes data enriched by Reco analysis.

    • In the INPUT section of the query builder, select the relevant path within the JSON. Once a path is chosen, the value type is automatically identified, and applicable operators will be displayed.

    • To add a custom expression, type it in quotation marks ("") and concatenate it to the selected JSON path using "&" between them.

    • Use the "+ AND" button to add multiple conditions, combining them with an AND operator.

Did this answer your question?