Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

THREAT-408 Notion.Many.Pages.Deleted -> Scheduled Rule #1423

Merged
merged 4 commits into from
Nov 14, 2024
Merged

THREAT-408 Notion.Many.Pages.Deleted -> Scheduled Rule #1423

merged 4 commits into from
Nov 14, 2024

Conversation

ben-githubs
Copy link
Contributor

@ben-githubs ben-githubs commented Nov 7, 2024
edited by arielkr256
Loading

Background

The current version of the rule is very noisy and doesn't provide useful or actionable alerts. We've discussed how to improve the rule, and it likely requires a different approach than just grouping page deletion events over time. Deprecating this streaming rule to cut down on noise, releasing a new scheduled rule that detects this more intelligently.

Changes

  • Deprecate Notion.Many.Pages.Deleted
  • Adds Notion.Many.Pages.Deleted.Sched to detect deleted pages that are not created or restored withing the same hour

Testing

  • Searched against production Notion logs to observe false positive reduction

@ben-githubs ben-githubs requested a review from a team as a code owner November 7, 2024 22:24
@arielkr256 arielkr256 added rules Real-time log data detections tuning detection tuning labels Nov 12, 2024
@arielkr256 arielkr256 added the scheduled_rules Scheduled rules pair Queries with Rules for query based detections label Nov 12, 2024
@arielkr256 arielkr256 changed the title Deprecate Notion.Many.Pages.Deleted THREAT-408 Deprecate Notion.Many.Pages.Deleted Nov 13, 2024
@arielkr256 arielkr256 changed the title THREAT-408 Deprecate Notion.Many.Pages.Deleted THREAT-408 Notion.Many.Pages.Deleted -> Scheduled Rule Nov 13, 2024
@arielkr256 arielkr256 enabled auto-merge (squash) November 14, 2024 15:20
@arielkr256 arielkr256 merged commit c9724bf into develop Nov 14, 2024
8 checks passed
@arielkr256 arielkr256 deleted the ben/deprecate-notion-many-pages-deleted branch November 14, 2024 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
rules Real-time log data detections scheduled_rules Scheduled rules pair Queries with Rules for query based detections tuning detection tuning
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ben-githubs @arielkr256