Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new and improved Notion rules for demo #1039

Merged
merged 2 commits into from
Jan 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions rules/notion_rules/notion_page_shared_to_web.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,12 @@ def rule(event):

def title(event):
user = event.deep_get("event", "actor", "person", "email", default="<NO_USER_FOUND>")
page_id = event.deep_get("event", "details", "target", "page_id", default="<NO_PAGE_ID_FOUND>")
return f"Notion User [{user}] changed the status of page [{page_id}] to public."
page_name = event.deep_get("event", "details", "page_name", default="<NO_PAGE_NAME_FOUND>")
return f"Notion User [{user}] changed the status of page [{page_name}] to public."


def alert_context(event):
context = notion_alert_context(event)
page_id = event.deep_get("event", "details", "target", "page_id", default="<NO_PAGE_ID_FOUND>")
context["page_id"] = page_id
page_name = event.deep_get("event", "details", "page_name", default="<NO_PAGE_NAME_FOUND>")
context["page_name"] = page_name
return context
6 changes: 1 addition & 5 deletions rules/notion_rules/notion_scim_token_generated.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,7 @@ def rule(event):
def title(event):
user = event.deep_get("event", "actor", "person", "email", default="<NO_USER_FOUND>")
workspace_id = event.deep_get("event", "workspace_id", default="<NO_WORKSPACE_ID_FOUND>")
token_id = event.deep_get("event", "workspace", "scim_token_generated", default="{}")
return (
f"Notion User [{user}] generated a SCIM token "
f"[{token_id}] for workspace id [{workspace_id}]."
)
return f"Notion User [{user}] generated a SCIM token for workspace id [{workspace_id}]."


def alert_context(event):
Expand Down
32 changes: 32 additions & 0 deletions rules/notion_rules/notion_sharing_settings_updated.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
from panther_notion_helpers import notion_alert_context

EVENTS = (
"teamspace.settings.allow_public_page_sharing_setting_updated",
"teamspace.settings.allow_guests_setting_updated",
"teamspace.settings.allow_content_export_setting_updated",
"workspace.settings.allow_public_page_sharing_setting_updated",
"workspace.settings.allow_guests_setting_updated",
"workspace.settings.allow_content_export_setting_updated",
)


def rule(event):
return all(
[
event.deep_get("event", "type", default="") in EVENTS,
event.deep_get("event", "details", "state", default="") == "enabled",
]
)


def title(event):
actor = event.deep_get("event", "actor", "person", "email", default="NO_ACTOR_FOUND")
action = event.deep_get("event", "type", default="NO.EVENT.FOUND").split(".")[2]
teamspace = event.deep_get("event", "details", "target", "name", default=None)
if teamspace:
return f"[{actor}] enabled [{action}] for [{teamspace}] Teamspace"
return f"[{actor}] enabled [{action}] for Workspace"


def alert_context(event):
return notion_alert_context(event)
69 changes: 69 additions & 0 deletions rules/notion_rules/notion_sharing_settings_updated.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
AnalysisType: rule
Filename: notion_sharing_settings_updated.py
RuleID: "Notion.SharingSettingsUpdated"
DisplayName: "Notion Sharing Settings Updated"
Enabled: true
LogTypes:
- Notion.AuditLogs
Tags:
- Notion
- Data Exfiltration
Description: A Notion User enabled sharing for a Workspace or Teamspace.
Severity: Medium
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
Tests:
- ExpectedResult: true
Log:
{
"event": {
"actor": {
"id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
"object": "user",
"person": {
"email": "[email protected]"
},
"type": "person"
},
"details": {
"state": "enabled",
},
"id": "91b29a4b-4978-40e1-ab56-40221f801ce5",
"ip_address": "11.22.33.44",
"platform": "web",
"timestamp": "2023-12-13 16:39:06.860000000",
"type": "workspace.settings.allow_guests_setting_updated",
"workspace_id": "ea65b016-6abc-4dcf-808b-e119617b55d1"
},
}
Name: Sharing Enabled
- ExpectedResult: false
Log:
{
"event": {
"actor": {
"id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
"object": "user",
"person": {
"email": "[email protected]"
},
"type": "person"
},
"details": {
"state": "disabled",
"target": {
"id": "a70a4074-5cac-4fc5-8e59-109df81e5a93",
"name": "R&D",
"object": "teamspace"
}
},
"id": "91b29a4b-4978-40e1-ab56-40221f801ce5",
"ip_address": "11.22.33.44",
"platform": "web",
"timestamp": "2023-12-13 16:39:06.860000000",
"type": "teamspace.settings.allow_guests_setting_updated",
"workspace_id": "ea65b016-6abc-4dcf-808b-e119617b55d1"
},
}
Name: Sharing Disabled
26 changes: 26 additions & 0 deletions rules/notion_rules/notion_teamspace_owner_added.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
from panther_notion_helpers import notion_alert_context


def rule(event):
added = (
event.deep_get("event", "type", default="") == "teamspace.permissions.member_added"
and event.deep_get("event", "details", "role", default="") == "owner"
)
updated = (
event.deep_get("event", "type", default="") == "teamspace.permissions.member_role_updated"
and event.deep_get("event", "details", "new_role", default="") == "owner"
)
return added or updated


def title(event):
actor = event.deep_get("event", "actor", "person", "email", default="NO_ACTOR_FOUND")
member = event.deep_get(
"event", "details", "member", "person", "email", default="NO_MEMBER_FOUND"
)
teamspace = event.deep_get("event", "details", "target", "name", default="NO_TEAMSPACE_FOUND")
return f"[{actor}] added [{member}] as owner of [{teamspace}] Teamspace"


def alert_context(event):
return notion_alert_context(event)
90 changes: 90 additions & 0 deletions rules/notion_rules/notion_teamspace_owner_added.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
AnalysisType: rule
Filename: notion_teamspace_owner_added.py
RuleID: "Notion.TeamspaceOwnerAdded"
DisplayName: "Notion Teamspace Owner Added"
Enabled: true
LogTypes:
- Notion.AuditLogs
Tags:
- Notion
- Privilege Escalation
Description: A Notion User was added as a Teamspace owner.
Severity: Medium
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible Privilege Escalation. Follow up with the Notion User to determine if this was done for a valid business reason.
Tests:
- ExpectedResult: false
Log:
{
"event": {
"actor": {
"id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
"object": "user",
"person": {
"email": "[email protected]"
},
"type": "person"
},
"details": {
"member": {
"id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
"object": "user",
"person": {
"email": "[email protected]"
},
"type": "person"
},
"role": "member",
"target": {
"id": "b8db234d-71eb-49e2-a5ed-7935ca764920",
"name": "General",
"object": "teamspace"
}
},
"id": "eed75a56-ca1b-453b-afd8-73789bc19398",
"ip_address": "11.22.33.44",
"platform": "web",
"timestamp": "2023-12-13 16:20:14.966000000",
"type": "teamspace.permissions.member_added",
"workspace_id": "ea65b016-6abc-4dcf-808b-e119617b55d1"
}
}
Name: Member Added
- ExpectedResult: true
Log:
{
"event": {
"actor": {
"id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
"object": "user",
"person": {
"email": "[email protected]"
},
"type": "person"
},
"details": {
"member": {
"id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
"object": "user",
"person": {
"email": "[email protected]"
},
"type": "person"
},
"new_role": "owner",
"target": {
"id": "b8db234d-71eb-49e2-a5ed-7935ca764920",
"name": "General",
"object": "teamspace"
}
},
"id": "6019b995-0158-4430-8263-89ad7905bd1d",
"ip_address": "11.22.33.44",
"platform": "web",
"timestamp": "2023-12-13 16:38:04.264000000",
"type": "teamspace.permissions.member_role_updated",
"workspace_id": "ea65b016-6abc-4dcf-808b-e119617b55d1"
}
}
Name: Owner Added
6 changes: 2 additions & 4 deletions rules/notion_rules/notion_workspace_audit_log_exported.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
from global_filter_notion import filter_include_event
from panther_base_helpers import deep_get
from panther_notion_helpers import notion_alert_context


Expand All @@ -13,10 +12,9 @@ def rule(event):
def title(event):
user = event.deep_get("event", "actor", "person", "email", default="<NO_USER_FOUND>")
workspace_id = event.deep_get("event", "workspace_id", default="<NO_WORKSPACE_ID_FOUND>")
duration_in_days = deep_get(
event,
duration_in_days = event.deep_get(
"event",
"workspace.audit_log_exported",
"details",
"duration_in_days",
default="<NO_DURATION_IN_DAYS_FOUND>",
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ Tests:
"ip_address": "...",
"platform": "web",
"type": "workspace.audit_log_exported",
"workspace.audit_log_exported": {
"details": {
"duration_in_days": 30
}
}
Expand Down