Notion Logs

Panther supports receiving Notion logs directly via webhook

Overview

Panther ingests Notion audit logs through an HTTP Source, which receives events from a Notion connection.

How to onboard Notion logs to Panther

Prerequisite

To successfully complete Step 2 below, your Notion user must have the Workspace owner role.

Step 1: Create a new Notion source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Notion,” then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
- The Schemas - Optional field will be pre-populated with the Notion schema(s).
- You will be required to use HMAC authentication. This is the only method of authentication Notion supports.
  - The Header Name associated with your Secret Key Value will be locked with a value of x-notion-signature.
  - Be sure to securely copy your Secret Key Value, and store it in a safe location, as you will need it in the next step.

Step 2: Create a new Panther Connection in Notion

From the left-side navigation bar of your Notion tenant, click Settings & Members > Connections.
Click the Workspace Connections tab.
Click +Add connection.
From the dropdown options, select Panther.
In the popup modal, provide values for the following fields:
- Webhook URL: Enter the HTTP Source URL you generated in Step 1.
- Secret code: Enter the Secret Key Value you used in Step 1.
Click Connect.

Panther-managed detections

See Panther-managed rules for Notion in the panther-analysis GitHub repository.

Supported log types

Required fields in the schema are listed as "required: true"

Notion.AuditLogs

Notion.AuditLogs provide visibility into changes made to Notion workspaces.

schema: Notion.AuditLogs
description: Notion Audit logs
referenceURL: https://www.notion.so/
fields:
    - name: event
      required: true
      description: The event information
      type: object
      fields:
        - name: id
          required: true
          description: The event ID
          type: string
        - name: timestamp
          required: true
          description: The time at which the event occurred
          type: timestamp
          timeFormats:
            - rfc3339
          isEventTime: true
        - name: workspace_id
          description: The ID of the workspace associated with the event
          type: string
        - name: actor
          required: true
          description: Identifying information about the actor involved in the event
          type: object
          fields:
            - name: id
              required: true
              description: The ID of actor
              type: string
              indicators:
                - actor_id
            - name: object
              required: true
              description: The type of actor object
              type: string
            - name: type
              required: true
              description: The type of actor
              type: string
            - name: person
              description: Information on the person involved in the action
              type: object
              fields:
                - name: email
                  description: The user's email
                  type: string
                  indicators:
                    - email
        - name: ip_address
          description: The IP address the event originated from
          type: string
          indicators:
            - ip
        - name: platform
          description: The platform the request originated from
          type: string
        - name: type
          required: true
          description: The event type
          type: string
        - name: details
          description: The event details
          type: json

PreviousNginx Logs NextOkta Logs

Last updated 1 year ago

How to onboard Notion logs to Panther

Prerequisite

To successfully complete Step 2 below, your Notion user must have the Workspace owner role.

Step 1: Create a new Notion source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

Click Create New.

Search for “Notion,” then click its tile.

In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.

Click Start Setup.

Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.

The Schemas - Optional field will be pre-populated with the Notion schema(s).
You will be required to use HMAC authentication. This is the only method of authentication Notion supports.
- The Header Name associated with your Secret Key Value will be locked with a value of x-notion-signature.
- Be sure to securely copy your Secret Key Value, and store it in a safe location, as you will need it in the next step.

Step 2: Create a new Panther Connection in Notion

From the left-side navigation bar of your Notion tenant, click Settings & Members > Connections.

Click the Workspace Connections tab.

Click +Add connection.

From the dropdown options, select Panther.

In the popup modal, provide values for the following fields:

Webhook URL: Enter the HTTP Source URL you generated in Step 1.
Secret code: Enter the Secret Key Value you used in Step 1.

Click Connect.

Supported log types

Required fields in the schema are listed as "required: true"

Notion.AuditLogs

Notion.AuditLogs provide visibility into changes made to Notion workspaces.

schema: Notion.AuditLogs
description: Notion Audit logs
referenceURL: https://www.notion.so/
fields:
    - name: event
      required: true
      description: The event information
      type: object
      fields:
        - name: id
          required: true
          description: The event ID
          type: string
        - name: timestamp
          required: true
          description: The time at which the event occurred
          type: timestamp
          timeFormats:
            - rfc3339
          isEventTime: true
        - name: workspace_id
          description: The ID of the workspace associated with the event
          type: string
        - name: actor
          required: true
          description: Identifying information about the actor involved in the event
          type: object
          fields:
            - name: id
              required: true
              description: The ID of actor
              type: string
              indicators:
                - actor_id
            - name: object
              required: true
              description: The type of actor object
              type: string
            - name: type
              required: true
              description: The type of actor
              type: string
            - name: person
              description: Information on the person involved in the action
              type: object
              fields:
                - name: email
                  description: The user's email
                  type: string
                  indicators:
                    - email
        - name: ip_address
          description: The IP address the event originated from
          type: string
          indicators:
            - ip
        - name: platform
          description: The platform the request originated from
          type: string
        - name: type
          required: true
          description: The event type
          type: string
        - name: details
          description: The event details
          type: json