diff --git a/packs/notion.yml b/packs/notion.yml index bf4db23f8..8eeb378d5 100644 --- a/packs/notion.yml +++ b/packs/notion.yml @@ -7,7 +7,7 @@ PackDefinition: - Notion.PagePerms.GuestPermsChanged - Notion.LoginFromNewLocation - Notion.Many.Pages.Exported - - Notion.Many.Pages.Deleted + - Notion.Many.Pages.Deleted.Sched - Notion.PagePerms.APIPermsChanged - Notion.PageSharedToWeb - Notion.SAML.SSO.Configuration.Changed @@ -16,6 +16,8 @@ PackDefinition: - Notion.Workspace.Public.Page.Added - Notion.SharingSettingsUpdated - Notion.TeamspaceOwnerAdded + # Scheduled Queries + - Notion Many Pages Deleted Query # Correlation Rules - Notion.Login.FOLLOWED.BY.AccountChange # Signal Rules diff --git a/queries/notion_queries/notion_many_pages_deleted_query.yml b/queries/notion_queries/notion_many_pages_deleted_query.yml new file mode 100644 index 000000000..197b141c6 --- /dev/null +++ b/queries/notion_queries/notion_many_pages_deleted_query.yml @@ -0,0 +1,29 @@ +AnalysisType: scheduled_query +QueryName: Notion Many Pages Deleted Query +Enabled: false +Tags: + - Notion + - Data Security + - Data Destruction +Description: > + A Notion User deleted multiple pages, which were not created or restored from the trash within the same hour. +Query: | + SELECT + event:actor.person.email AS user + ,ARRAY_AGG(event:type) AS actions + ,event:details.page_name AS page_name + ,event:details.target.page_id AS id + FROM + panther_logs.public.notion_auditlogs + WHERE + p_occurs_since(1 hour) + AND event:type IN ('page.deleted','page.created','page.restored_from_trash') + AND event:details.target.type = 'page_id' + AND page_name != '' + AND event:actor.type = 'person' + GROUP BY id, user, page_name + HAVING + actions = ARRAY_CONSTRUCT('page.deleted') +Schedule: + RateMinutes: 60 + TimeoutMinutes: 2 diff --git a/queries/notion_queries/notion_many_pages_deleted_sched.py b/queries/notion_queries/notion_many_pages_deleted_sched.py new file mode 100644 index 000000000..121a55165 --- /dev/null +++ b/queries/notion_queries/notion_many_pages_deleted_sched.py @@ -0,0 +1,7 @@ +def rule(_): + return True + + +def title(event): + user = event.get("user", "") + return f"Notion User [{user}] deleted multiple pages." diff --git a/queries/notion_queries/notion_many_pages_deleted_sched.yml b/queries/notion_queries/notion_many_pages_deleted_sched.yml new file mode 100644 index 000000000..e19aae1e9 --- /dev/null +++ b/queries/notion_queries/notion_many_pages_deleted_sched.yml @@ -0,0 +1,29 @@ +AnalysisType: scheduled_rule +Filename: notion_many_pages_deleted_sched.py +RuleID: "Notion.Many.Pages.Deleted.Sched" +DisplayName: "Notion Many Pages Deleted" +Enabled: true +ScheduledQueries: + - Notion Many Pages Deleted Query +Tags: + - Notion + - Data Security + - Data Destruction +Severity: Medium +Description: A Notion User deleted multiple pages, which were not created or restored from the trash within the same hour. +DedupPeriodMinutes: 60 +Threshold: 10 # Number of pages deleted; please change this value to suit your organization's needs. +Runbook: Possible Data Destruction. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/duplicate-delete-and-restore-content +Tests: + - Name: query_result + ExpectedResult: true + Log: + { + "actions": [ + "page.deleted" + ], + "id": "1360a5bb-da41-8177-bedb-d015d012392a", + "page_name": "Newslette", + "user": "bob.ross@happytrees.com" + } \ No newline at end of file diff --git a/rules/notion_rules/notion_many_pages_deleted.yml b/rules/notion_rules/notion_many_pages_deleted.yml index 64fb3358e..9fa3ecb61 100644 --- a/rules/notion_rules/notion_many_pages_deleted.yml +++ b/rules/notion_rules/notion_many_pages_deleted.yml @@ -1,16 +1,17 @@ AnalysisType: rule Filename: notion_many_pages_deleted.py RuleID: "Notion.Many.Pages.Deleted" -DisplayName: "Notion Many Pages Deleted" -Enabled: true +DisplayName: "Notion Many Pages Deleted [Deprecated]" +Enabled: false LogTypes: - Notion.AuditLogs Tags: - Notion - Data Security - Data Destruction + - Deprecated Severity: Medium -Description: A Notion User deleted multiple pages. +Description: (Deprecated due to false-positive rate) A Notion User deleted multiple pages. DedupPeriodMinutes: 60 Threshold: 10 # Number of pages deleted; please change this value to suit your organization's needs. Runbook: Possible Data Destruction. Follow up with the Notion User to determine if this was done for a valid business reason.