# Notion Logs ## Overview Panther ingests Notion audit logs through an [HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http), which receives events from a Notion connection. Learn more on [Notion's documentation for adding security and compliance integrations](https://www.notion.so/help/add-security-and-compliance-integrations). {% hint style="warning" %} This integration is only available to customers of [Notion's Enterprise plan](https://www.notion.so/pricing). {% endhint %} #### Video overview {% embed url="" %} ## How to onboard Notion logs to Panther ### Prerequisites * To successfully complete [Step 2](#step-2-create-a-new-panther-connection-in-notion) below, your Notion user must have the **Workspace owner** role. ### Step 1: Create a new Notion source in Panther 1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.** 2. Click **Create New**. 3. Search for “Notion,” then click its tile. * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option. 4. Click **Start Setup**.\ ![On the Notion log source setup page in the Panther Console, there is a "Transport Mechanism" dropdown with a value of "HTTP." To its right is a "Start Setup" button, and both are circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-6e74a493903f1522924030463c1bc062e5c7c714%2FScreenshot%202023-06-07%20at%203.50.44%20PM.png?alt=media) 5. Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5. * The **Schemas - Optional** field will be pre-populated with the Notion schema(s). * You will be required to use [HMAC authentication](https://docs.panther.com/data-transports/http#hmac). This is the only method of authentication Notion supports. * The **Header Name** associated with your **Secret Key Value** will be locked with a value of `x-notion-signature`. * Be sure to securely copy your **Secret Key Value**, and store it in a safe location, as you will need it in the next step. * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-transports/http#payload-requirements). * Do not proceed to the next step until the creation of your HTTP endpoint has completed. ### Step 2: Create a new Panther Connection in Notion Learn more about this process on [Notion's documentation for adding security and compliance integrations](https://www.notion.so/help/add-security-and-compliance-integrations). 1. From the left-side navigation bar of your Notion tenant, click **Settings.** 2. Under the **Integrations** section, click **Connections**. 3. Click the **Workspace** tab. 4. Find **Panther** and click **Connect**. 5. In the popup modal, provide values for the following fields: * **Webhook URL:** Enter the HTTP Source URL you generated in [Step 1](#step-1-create-a-new-notion-source-in-panther). * **Token:** Enter the **Secret Key Value** you used in [Step 1](#step-1-create-a-new-notion-source-in-panther). 6. Click **Connect**. ## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Notion in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/master/rules/notion_rules). ## Supported log types ### Notion.AuditLogs Notion.AuditLogs provide visibility into changes made to Notion workspaces. ```yaml schema: Notion.AuditLogs description: Notion Audit logs referenceURL: https://www.notion.so/ fields: - name: event required: true description: The event information type: object fields: - name: id required: true description: The event ID type: string - name: timestamp required: true description: The time at which the event occurred type: timestamp timeFormats: - rfc3339 isEventTime: true - name: workspace_id description: The ID of the workspace associated with the event type: string - name: actor required: true description: Identifying information about the actor involved in the event type: object fields: - name: id required: true description: The ID of actor type: string indicators: - actor_id - name: object required: true description: The type of actor object type: string - name: type required: true description: The type of actor type: string - name: person description: Information on the person involved in the action type: object fields: - name: email description: The user's email type: string indicators: - email - name: ip_address description: The IP address the event originated from type: string indicators: - ip - name: platform description: The platform the request originated from type: string - name: type required: true description: The event type type: string - name: details description: The event details type: json ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/notion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.