Skip to content

Commit

Permalink
Add references to rules (notion_rules)
Browse files Browse the repository at this point in the history
  • Loading branch information
akozlovets098 committed Dec 12, 2023
1 parent 5c73412 commit 2455df7
Show file tree
Hide file tree
Showing 14 changed files with 14 additions and 0 deletions.
1 change: 1 addition & 0 deletions rules/notion_rules/notion_account_changed_after_login.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User logged in then changed their account details.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible account takeover. Follow up with the Notion User to determine if this email change is genuine.
Reference: https://www.notion.so/help/account-settings
Tests:
- # This unit test is to make sure the logic for handling login events successfully results in
# caching the login info. The outputted title/alert_context are not important.
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_login_from_blocked_ip.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ Description: "A user attempted to access Notion from a blocked IP address. Note:
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Confirm with user if the login was legitimate. If so, determine why the IP is blocked.
Reference: https://www.notion.so/help/allowlist-ip
1 change: 1 addition & 0 deletions rules/notion_rules/notion_login_from_new_location.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User logged in from a new location.
DedupPeriodMinutes: 60
Threshold: 1 # Number of pages deleted; please change this value to suit your organization's needs.
Runbook: Possible account takeover. Follow up with the Notion User to determine if this login is genuine.
Reference: https://ipinfo.io/products/ip-geolocation-api
Tests:
- Name: Login from normal location
ExpectedResult: false
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_many_pages_deleted.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User deleted multiple pages.
DedupPeriodMinutes: 60
Threshold: 10 # Number of pages deleted; please change this value to suit your organization's needs.
Runbook: Possible Data Destruction. Follow up with the Notion User to determine if this was done for a valid business reason.
Reference: https://www.notion.so/help/duplicate-delete-and-restore-content
Tests:
- Name: Other Event
ExpectedResult: false
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_many_pages_exported.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User exported multiple pages.
DedupPeriodMinutes: 60
Threshold: 10 # Number of pages exported; please change this value to suit your organization's needs.
Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
Reference: https://www.notion.so/help/export-your-content
Tests:
- Name: Other Event
ExpectedResult: false
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_page_accessible_to_api.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ Description: "A new API integration was added to a Notion page, or it's permissi
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Potential information exposure - review the shared page and rectify if needed.
Reference: https://www.notion.so/help/sharing-and-permissions
1 change: 1 addition & 0 deletions rules/notion_rules/notion_page_accessible_to_guests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: The external guest permissions for a Notion page have been altered.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Potential information exposure - review the shared page and rectify if needed.
Reference: https://www.notion.so/help/sharing-and-permissions
Tests:
- Name: Guest Role Added
ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_page_shared_to_web.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ Description: A Notion User published a page to the web.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Potential information exposure - review the shared page and rectify if needed.
Reference: https://www.notion.so/help/public-pages-and-web-publishing
1 change: 1 addition & 0 deletions rules/notion_rules/notion_page_view_impossible_travel.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ Description: A Notion User viewed a page from 2 locations simultaneously
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible account compromise. Review activity of this user.
Reference: https://raxis.com/blog/simultaneous-sessions/
Tests:
- Name: Normal Page View
ExpectedResult: False
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_scim_token_generated.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Severity: Medium
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible Initial Access. Follow up with the Notion User to determine if this was done for a valid business reason.
Reference: https://www.notion.so/help/provision-users-and-groups-with-scim
Tests:
- ExpectedResult: false
Log:
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_workspace_audit_log_exported.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User exported audit logs for your organization’s workspa
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
Reference: https://www.notion.so/help/audit-log#export-your-audit-log
Tests:
- Name: Other Event
ExpectedResult: false
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_workspace_exported.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User exported an existing workspace.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
Reference: https://www.notion.so/help/workspace-settings#export-an-entire-workspace
Tests:
- Name: Workspace Exported
ExpectedResult: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User changed settings to enforce SAML SSO configurations f
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Follow up with the Notion User to determine if this was done for a valid business reason and to ensure these settings get re-enabled quickly for best security practices.
Reference: https://www.notion.so/help/saml-sso-configuration
Tests:
- Name: Other Event
ExpectedResult: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion page was set to public in your worksace.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: A Notion page was made public. Check with the author to determine why this page was made public.
Reference: https://www.notion.so/help/public-pages-and-web-publishing
Tests:
- Name: Public page added
ExpectedResult: true
Expand Down

0 comments on commit 2455df7

Please sign in to comment.