add: notion rule scim token generated (#796)

* add: notion rule scim token generated * fmt * refactor: add to pack & severity * add: title * feedback * add token id * fmt * lint * Update rules/notion_rules/notion_scim_token_generated.py Co-authored-by: andrea-youwakim <[email protected]> * fmt * fixing dot notation attempt in deep_get --------- Co-authored-by: andrea-youwakim <[email protected]> Co-authored-by: andrea-youwakim <[email protected]>
panther-labs · Jun 15, 2023 · 564639d · 564639d
1 parent 624ffd0
commit 564639d
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 0 deletions.
diff --git a/packs/notion.yml b/packs/notion.yml
@@ -4,6 +4,7 @@ Description: Group of all Notion detections
 PackDefinition:
  IDs:
  - Notion.Workspace.Exported
+ - Notion.Workspace.SCIM.Token.Generated
  - Notion.Many.Pages.Exported
  - Notion.Many.Pages.Deleted
  - Notion.Audit.Log.Exported

diff --git a/rules/notion_rules/notion_scim_token_generated.py b/rules/notion_rules/notion_scim_token_generated.py
@@ -0,0 +1,25 @@
+from global_filter_notion import filter_include_event
+from panther_base_helpers import deep_get
+from panther_notion_helpers import notion_alert_context
+
+
+def rule(event):
+ if not filter_include_event(event):
+ return False
+ return (
+ deep_get(event, "type", default="<NO_EVENT_TYPE_FOUND>") == "workspace.scim_token_generated"
+ )
+
+
+def title(event):
+ user = deep_get(event, "actor", "person", "email", default="<NO_USER_FOUND>")
+ workspace_id = event.get("workspace_id", "<NO_WORKSPACE_ID_FOUND>")
+ token_id = deep_get(event, "workspace", "scim_token_generated", default="{}")
+ return (
+ f"Notion User [{user}] generated a SCIM token "
+ f"[{token_id}] for workspace id [{workspace_id}]."
+ )
+
+
+def alert_context(event):
+ return notion_alert_context(event)
diff --git a/rules/notion_rules/notion_scim_token_generated.yaml b/rules/notion_rules/notion_scim_token_generated.yaml
@@ -0,0 +1,55 @@
+AnalysisType: rule
+Description: A Notion User generated a SCIM token.
+DisplayName: "Notion SCIM Token Generated"
+Enabled: true
+Filename: notion_scim_token_generated.py
+Runbook: Possible Initial Access. Follow up with the Notion User to determine if this was done for a valid business reason.
+Severity: Medium
+Tags:
+ - Initial Access:Supply Chain Compromise
+Tests:
+ - ExpectedResult: false
+ Log:
+ {
+ "id": "...",
+ "timestamp": "2023-06-02T20:16:41.217Z",
+ "workspace_id": "123",
+ "actor": {
+ "id": "..",
+ "object": "user",
+ "type": "person",
+ "person": {
+ "email": "[email protected]"
+ }
+ },
+ "ip_address": "...",
+ "platform": "mac-desktop",
+ "type": "workspace.content_exported",
+ "workspace.content_exported": {}
+ }
+ Name: other event
+ - ExpectedResult: true
+ Log:
+ {
+ "id": "...",
+ "timestamp": "2023-06-02T20:21:01.873Z",
+ "workspace_id": "123",
+ "actor": {
+ "id": "..",
+ "object": "user",
+ "type": "person",
+ "person": {
+ "email": "[email protected]"
+ }
+ },
+ "ip_address": "...",
+ "platform": "mac-desktop",
+ "type": "workspace.scim_token_generated",
+ "workspace.scim_token_generated": {}
+ }
+ Name: Token Generated
+DedupPeriodMinutes: 60
+LogTypes:
+ - Notion.AuditLogs
+RuleID: "Notion.Workspace.SCIM.Token.Generated"
+Threshold: 1