panther-labs · egibs · Jan 16, 2024 · Dec 13, 2023 · Jan 16, 2024
@@ -16,12 +16,12 @@ def rule(event):
 
 def title(event):
  user = event.deep_get("event", "actor", "person", "email", default="<NO_USER_FOUND>")
- page_id = event.deep_get("event", "details", "target", "page_id", default="<NO_PAGE_ID_FOUND>")
- return f"Notion User [{user}] changed the status of page [{page_id}] to public."
+ page_name = event.deep_get("event", "details", "page_name", default="<NO_PAGE_NAME_FOUND>")
+ return f"Notion User [{user}] changed the status of page [{page_name}] to public."
 
 
 def alert_context(event):
  context = notion_alert_context(event)
- page_id = event.deep_get("event", "details", "target", "page_id", default="<NO_PAGE_ID_FOUND>")
- context["page_id"] = page_id
+ page_name = event.deep_get("event", "details", "page_name", default="<NO_PAGE_NAME_FOUND>")
+ context["page_name"] = page_name
  return context
@@ -12,11 +12,7 @@ def rule(event):
 def title(event):
  user = event.deep_get("event", "actor", "person", "email", default="<NO_USER_FOUND>")
  workspace_id = event.deep_get("event", "workspace_id", default="<NO_WORKSPACE_ID_FOUND>")
- token_id = event.deep_get("event", "workspace", "scim_token_generated", default="{}")
- return (
- f"Notion User [{user}] generated a SCIM token "
- f"[{token_id}] for workspace id [{workspace_id}]."
- )
+ return f"Notion User [{user}] generated a SCIM token for workspace id [{workspace_id}]."
 
 
 def alert_context(event):

@@ -0,0 +1,32 @@
+from panther_notion_helpers import notion_alert_context
+
+EVENTS = (
+ "teamspace.settings.allow_public_page_sharing_setting_updated",
+ "teamspace.settings.allow_guests_setting_updated",
+ "teamspace.settings.allow_content_export_setting_updated",
+ "workspace.settings.allow_public_page_sharing_setting_updated",
+ "workspace.settings.allow_guests_setting_updated",
+ "workspace.settings.allow_content_export_setting_updated",
+)
+
+
+def rule(event):
+ return all(
+ [
+ event.deep_get("event", "type", default="") in EVENTS,
+ event.deep_get("event", "details", "state", default="") == "enabled",
+ ]
+ )
+
+
+def title(event):
+ actor = event.deep_get("event", "actor", "person", "email", default="NO_ACTOR_FOUND")
+ action = event.deep_get("event", "type", default="NO.EVENT.FOUND").split(".")[2]
+ teamspace = event.deep_get("event", "details", "target", "name", default=None)
+ if teamspace:
+ return f"[{actor}] enabled [{action}] for [{teamspace}] Teamspace"
+ return f"[{actor}] enabled [{action}] for Workspace"
+
+
+def alert_context(event):
+ return notion_alert_context(event)
@@ -0,0 +1,69 @@
+AnalysisType: rule
+Filename: notion_sharing_settings_updated.py
+RuleID: "Notion.SharingSettingsUpdated"
+DisplayName: "Notion Sharing Settings Updated"
+Enabled: true
+LogTypes:
+ - Notion.AuditLogs
+Tags:
+ - Notion
+ - Data Exfiltration
+Description: A Notion User enabled sharing for a Workspace or Teamspace.
+Severity: Medium
+DedupPeriodMinutes: 60
+Threshold: 1
+Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
+Tests:
+ - ExpectedResult: true
+ Log:
+ {
+ "event": {
+ "actor": {
+ "id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
+ "object": "user",
+ "person": {
+ "email": "[email protected]"
+ },
+ "type": "person"
+ },
+ "details": {
+ "state": "enabled",
+ },
+ "id": "91b29a4b-4978-40e1-ab56-40221f801ce5",
+ "ip_address": "11.22.33.44",
+ "platform": "web",
+ "timestamp": "2023-12-13 16:39:06.860000000",
+ "type": "workspace.settings.allow_guests_setting_updated",
+ "workspace_id": "ea65b016-6abc-4dcf-808b-e119617b55d1"
+ },
+ }
+ Name: Sharing Enabled
+ - ExpectedResult: false
+ Log:
+ {
+ "event": {
+ "actor": {
+ "id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
+ "object": "user",
+ "person": {
+ "email": "[email protected]"
+ },
+ "type": "person"
+ },
+ "details": {
+ "state": "disabled",
+ "target": {
+ "id": "a70a4074-5cac-4fc5-8e59-109df81e5a93",
+ "name": "R&D",
+ "object": "teamspace"
+ }
+ },
+ "id": "91b29a4b-4978-40e1-ab56-40221f801ce5",
+ "ip_address": "11.22.33.44",
+ "platform": "web",
+ "timestamp": "2023-12-13 16:39:06.860000000",
+ "type": "teamspace.settings.allow_guests_setting_updated",
+ "workspace_id": "ea65b016-6abc-4dcf-808b-e119617b55d1"
+ },
+ }
+ Name: Sharing Disabled
@@ -0,0 +1,26 @@
+from panther_notion_helpers import notion_alert_context
+
+
+def rule(event):
+ added = (
+ event.deep_get("event", "type", default="") == "teamspace.permissions.member_added"
+ and event.deep_get("event", "details", "role", default="") == "owner"
+ )
+ updated = (
+ event.deep_get("event", "type", default="") == "teamspace.permissions.member_role_updated"
+ and event.deep_get("event", "details", "new_role", default="") == "owner"
+ )
+ return added or updated
+
+
+def title(event):
+ actor = event.deep_get("event", "actor", "person", "email", default="NO_ACTOR_FOUND")
+ member = event.deep_get(
+ "event", "details", "member", "person", "email", default="NO_MEMBER_FOUND"
+ )
+ teamspace = event.deep_get("event", "details", "target", "name", default="NO_TEAMSPACE_FOUND")
+ return f"[{actor}] added [{member}] as owner of [{teamspace}] Teamspace"
+
+
+def alert_context(event):
+ return notion_alert_context(event)
@@ -0,0 +1,90 @@
+AnalysisType: rule
+Filename: notion_teamspace_owner_added.py
+RuleID: "Notion.TeamspaceOwnerAdded"
+DisplayName: "Notion Teamspace Owner Added"
+Enabled: true
+LogTypes:
+ - Notion.AuditLogs
+Tags:
+ - Notion
+ - Privilege Escalation
+Description: A Notion User was added as a Teamspace owner.
+Severity: Medium
+DedupPeriodMinutes: 60
+Threshold: 1
+Runbook: Possible Privilege Escalation. Follow up with the Notion User to determine if this was done for a valid business reason.
+Tests:
+ - ExpectedResult: false
+ Log:
+ {
+ "event": {
+ "actor": {
+ "id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
+ "object": "user",
+ "person": {
+ "email": "[email protected]"
+ },
+ "type": "person"
+ },
+ "details": {
+ "member": {
+ "id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
+ "object": "user",
+ "person": {
+ "email": "[email protected]"
+ },
+ "type": "person"
+ },
+ "role": "member",
+ "target": {
+ "id": "b8db234d-71eb-49e2-a5ed-7935ca764920",
+ "name": "General",
+ "object": "teamspace"
+ }
+ },
+ "id": "eed75a56-ca1b-453b-afd8-73789bc19398",
+ "ip_address": "11.22.33.44",
+ "platform": "web",
+ "timestamp": "2023-12-13 16:20:14.966000000",
+ "type": "teamspace.permissions.member_added",
+ "workspace_id": "ea65b016-6abc-4dcf-808b-e119617b55d1"
+ }
+ }
+ Name: Member Added
+ - ExpectedResult: true
+ Log:
+ {
+ "event": {
+ "actor": {
+ "id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
+ "object": "user",
+ "person": {
+ "email": "[email protected]"
+ },
+ "type": "person"
+ },
+ "details": {
+ "member": {
+ "id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
+ "object": "user",
+ "person": {
+ "email": "[email protected]"
+ },
+ "type": "person"
+ },
+ "new_role": "owner",
+ "target": {
+ "id": "b8db234d-71eb-49e2-a5ed-7935ca764920",
+ "name": "General",
+ "object": "teamspace"
+ }
+ },
+ "id": "6019b995-0158-4430-8263-89ad7905bd1d",
+ "ip_address": "11.22.33.44",
+ "platform": "web",
+ "timestamp": "2023-12-13 16:38:04.264000000",
+ "type": "teamspace.permissions.member_role_updated",
+ "workspace_id": "ea65b016-6abc-4dcf-808b-e119617b55d1"
+ }
+ }
+ Name: Owner Added
@@ -1,5 +1,4 @@
 from global_filter_notion import filter_include_event
-from panther_base_helpers import deep_get
 from panther_notion_helpers import notion_alert_context
 
 
@@ -13,10 +12,9 @@ def rule(event):
 def title(event):
  user = event.deep_get("event", "actor", "person", "email", default="<NO_USER_FOUND>")
  workspace_id = event.deep_get("event", "workspace_id", default="<NO_WORKSPACE_ID_FOUND>")
- duration_in_days = deep_get(
- event,
+ duration_in_days = event.deep_get(
  "event",
- "workspace.audit_log_exported",
+ "details",
  "duration_in_days",
  default="<NO_DURATION_IN_DAYS_FOUND>",
  )

@@ -57,7 +57,7 @@ Tests:
  "ip_address": "...",
  "platform": "web",
  "type": "workspace.audit_log_exported",
- "workspace.audit_log_exported": {
+ "details": {
  "duration_in_days": 30
  }
  }