# Notion Logs

## Overview

Panther ingests Notion audit logs through an [HTTP Source](https://docs.panther.com/~/changes/Dd8nx2iqd1Pp2OzWJaWk/data-onboarding/data-transports/http), which receives events from a Notion connection.

## How to onboard Notion logs to Panther

### Prerequisite

* To successfully complete [Step 2](#step-2-create-a-new-panther-connection-in-notion) below, your Notion user must have the **Workspace owner** role.

### Step 1: Create a new Notion source in Panther

1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.**
2. Click **Create New**.
3. Search for “Notion,” then click its tile.
   * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option.
4. Click **Start Setup**.\
   ![On the Notion log source setup page in the Panther Console, there is a "Transport Mechanism" dropdown with a value of "HTTP." To its right is a "Start Setup" button, and both are circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FUXlpMsq4MNInpCI7atcv%2FScreenshot%202023-06-07%20at%203.50.44%20PM.png?alt=media\&token=05ac82f3-c3d0-46f9-b265-752542980c88)
5. Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/~/changes/Dd8nx2iqd1Pp2OzWJaWk/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
   * The **Schemas - Optional** field will be pre-populated with the Notion schema(s).
   * You will be required to use [HMAC authentication](https://docs.panther.com/~/changes/Dd8nx2iqd1Pp2OzWJaWk/data-transports/http#hmac). This is the only method of authentication Notion supports.
     * The **Header Name** associated with your **Secret Key Value** will be locked with a value of `x-notion-signature`.
     * Be sure to securely copy your **Secret Key Value**, and store it in a safe location, as you will need it in the next step.

### Step 2: Create a new Panther Connection in Notion

1. From the left-side navigation bar of your Notion tenant, click **Settings & Members** > **Connections.**
2. Click the **Workspace Connections** tab.
3. Click **+Add connection**.
4. From the dropdown options, select **Panther**.
5. In the popup modal, provide values for the following fields:
   * **Webhook URL:** Enter the HTTP Source URL you generated in [Step 1](#step-1-create-a-new-notion-source-in-panther).
   * **Secret code:** Enter the **Secret Key Value** you used in [Step 1](#step-1-create-a-new-notion-source-in-panther).
6. Click **Connect**.

## Panther-managed detections

See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Notion in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/master/rules/notion_rules).

## Supported log types

{% hint style="info" %}
Required fields in the schema are listed as **"required: true"**
{% endhint %}

### Notion.AuditLogs

Notion.AuditLogs provide visibility into changes made to Notion workspaces.

```yaml
schema: Notion.AuditLogs
description: Notion Audit logs
referenceURL: https://www.notion.so/
fields:
    - name: event
      required: true
      description: The event information
      type: object
      fields:
        - name: id
          required: true
          description: The event ID
          type: string
        - name: timestamp
          required: true
          description: The time at which the event occurred
          type: timestamp
          timeFormats:
            - rfc3339
          isEventTime: true
        - name: workspace_id
          description: The ID of the workspace associated with the event
          type: string
        - name: actor
          required: true
          description: Identifying information about the actor involved in the event
          type: object
          fields:
            - name: id
              required: true
              description: The ID of actor
              type: string
              indicators:
                - actor_id
            - name: object
              required: true
              description: The type of actor object
              type: string
            - name: type
              required: true
              description: The type of actor
              type: string
            - name: person
              description: Information on the person involved in the action
              type: object
              fields:
                - name: email
                  description: The user's email
                  type: string
                  indicators:
                    - email
        - name: ip_address
          description: The IP address the event originated from
          type: string
          indicators:
            - ip
        - name: platform
          description: The platform the request originated from
          type: string
        - name: type
          required: true
          description: The event type
          type: string
        - name: details
          description: The event details
          type: json
```