Notion Logs

Panther supports receiving Notion logs directly via webhook

Overview

Panther ingests Notion audit logs through an HTTP Source, which receives events from a Notion connection. Learn more on Notion's documentation for adding security and compliance integrations.

This integration is only available to customers of Notion's Enterprise plan.

Video overview

How to onboard Notion logs to Panther

Prerequisites

To successfully complete Step 2 below, your Notion user must have the Workspace owner role.

Step 1: Create a new Notion source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Notion,” then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
- The Schemas - Optional field will be pre-populated with the Notion schema(s).
- You will be required to use HMAC authentication. This is the only method of authentication Notion supports.
  - The Header Name associated with your Secret Key Value will be locked with a value of x-notion-signature.
  - Be sure to securely copy your Secret Key Value, and store it in a safe location, as you will need it in the next step.
- Payloads sent to this source are subject to the payload requirements for all HTTP sources.
- Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Create a new Panther Connection in Notion

Learn more about this process on Notion's documentation for adding security and compliance integrations.

From the left-side navigation bar of your Notion tenant, click Settings & Members > Connections.
Click the Workspace Connections tab.
Click +Add connection.
From the dropdown options, select Panther.
In the popup modal, provide values for the following fields:
- Webhook URL: Enter the HTTP Source URL you generated in Step 1.
- Token: Enter the Secret Key Value you used in Step 1.
Click Connect.

Panther-managed detections

See Panther-managed rules for Notion in the panther-analysis GitHub repository.

Supported log types

Notion.AuditLogs

Notion.AuditLogs provide visibility into changes made to Notion workspaces.

schema: Notion.AuditLogs
description: Notion Audit logs
referenceURL: https://www.notion.so/
fields:
    - name: event
      required: true
      description: The event information
      type: object
      fields:
        - name: id
          required: true
          description: The event ID
          type: string
        - name: timestamp
          required: true
          description: The time at which the event occurred
          type: timestamp
          timeFormats:
            - rfc3339
          isEventTime: true
        - name: workspace_id
          description: The ID of the workspace associated with the event
          type: string
        - name: actor
          required: true
          description: Identifying information about the actor involved in the event
          type: object
          fields:
            - name: id
              required: true
              description: The ID of actor
              type: string
              indicators:
                - actor_id
            - name: object
              required: true
              description: The type of actor object
              type: string
            - name: type
              required: true
              description: The type of actor
              type: string
            - name: person
              description: Information on the person involved in the action
              type: object
              fields:
                - name: email
                  description: The user's email
                  type: string
                  indicators:
                    - email
        - name: ip_address
          description: The IP address the event originated from
          type: string
          indicators:
            - ip
        - name: platform
          description: The platform the request originated from
          type: string
        - name: type
          required: true
          description: The event type
          type: string
        - name: details
          description: The event details
          type: json

PreviousNginx Logs NextOkta Logs

Last updated 3 months ago