# Notion Logs

## Overview

Panther ingests Notion audit logs through an [HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http), which receives events from a Notion connection. Learn more on [Notion's documentation for adding security and compliance integrations](https://www.notion.so/help/add-security-and-compliance-integrations).

{% hint style="warning" %}
This integration is only available to customers of [Notion's Enterprise plan](https://www.notion.so/pricing).
{% endhint %}

#### Video overview

{% embed url="<https://youtu.be/iB07BzppZlQ>" %}

## How to onboard Notion logs to Panther

### Prerequisites

* To successfully complete [Step 2](#step-2-create-a-new-panther-connection-in-notion) below, your Notion user must have the **Workspace owner** role.

### Step 1: Create a new Notion source in Panther

1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.**
2. Click **Create New**.
3. Search for “Notion,” then click its tile.
   * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option.
4. Click **Start Setup**.\
   ![On the Notion log source setup page in the Panther Console, there is a "Transport Mechanism" dropdown with a value of "HTTP." To its right is a "Start Setup" button, and both are circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-6e74a493903f1522924030463c1bc062e5c7c714%2FScreenshot%202023-06-07%20at%203.50.44%20PM.png?alt=media)
5. Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
   * The **Schemas - Optional** field will be pre-populated with the Notion schema(s).
   * You will be required to use [HMAC authentication](https://docs.panther.com/data-transports/http#hmac). This is the only method of authentication Notion supports.
     * The **Header Name** associated with your **Secret Key Value** will be locked with a value of `x-notion-signature`.
     * Be sure to securely copy your **Secret Key Value**, and store it in a safe location, as you will need it in the next step.
   * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-transports/http#payload-requirements).
   * Do not proceed to the next step until the creation of your HTTP endpoint has completed.

### Step 2: Create a new Panther Connection in Notion

Learn more about this process on [Notion's documentation for adding security and compliance integrations](https://www.notion.so/help/add-security-and-compliance-integrations).

1. From the left-side navigation bar of your Notion tenant, click **Settings.**
2. Under the **Integrations** section, click **Connections**.
3. Click the **Workspace** tab.
4. Find **Panther** and click **Connect**.
5. In the popup modal, provide values for the following fields:
   * **Webhook URL:** Enter the HTTP Source URL you generated in [Step 1](#step-1-create-a-new-notion-source-in-panther).
   * **Token:** Enter the **Secret Key Value** you used in [Step 1](#step-1-create-a-new-notion-source-in-panther).
6. Click **Connect**.

## Panther-managed detections

See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Notion in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/master/rules/notion_rules).

## Supported log types

### Notion.AuditLogs

Notion.AuditLogs provide visibility into changes made to Notion workspaces.

```yaml
schema: Notion.AuditLogs
description: Notion Audit logs
referenceURL: https://www.notion.so/
fields:
    - name: event
      required: true
      description: The event information
      type: object
      fields:
        - name: id
          required: true
          description: The event ID
          type: string
        - name: timestamp
          required: true
          description: The time at which the event occurred
          type: timestamp
          timeFormats:
            - rfc3339
          isEventTime: true
        - name: workspace_id
          description: The ID of the workspace associated with the event
          type: string
        - name: actor
          required: true
          description: Identifying information about the actor involved in the event
          type: object
          fields:
            - name: id
              required: true
              description: The ID of actor
              type: string
              indicators:
                - actor_id
            - name: object
              required: true
              description: The type of actor object
              type: string
            - name: type
              required: true
              description: The type of actor
              type: string
            - name: person
              description: Information on the person involved in the action
              type: object
              fields:
                - name: email
                  description: The user's email
                  type: string
                  indicators:
                    - email
        - name: ip_address
          description: The IP address the event originated from
          type: string
          indicators:
            - ip
        - name: platform
          description: The platform the request originated from
          type: string
        - name: type
          required: true
          description: The event type
          type: string
        - name: details
          description: The event details
          type: json
```