rules/notion_rules/notion_teamspace_owner_added.yml

AnalysisType: rule
Filename: notion_teamspace_owner_added.py
RuleID: "Notion.TeamspaceOwnerAdded"
DisplayName: "Notion Teamspace Owner Added"
Enabled: true
LogTypes:
  - Notion.AuditLogs
Tags:
  - Notion
  - Privilege Escalation
Description: A Notion User was added as a Teamspace owner.
Severity: Medium
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible Privilege Escalation. Follow up with the Notion User to determine if this was done for a valid business reason.
Tests:
  - ExpectedResult: false
    Log:
      {
        "event":
          {
            "actor":
              {
                "id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
                "object": "user",
                "person": { "email": "bill@example.com" },
                "type": "person",
              },
            "details":
              {
                "member":
                  {
                    "id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
                    "object": "user",
                    "person": { "email": "bob@example.com" },
                    "type": "person",
                  },
                "role": "member",
                "target":
                  {
                    "id": "b8db234d-71eb-49e2-a5ed-7935ca764920",
                    "name": "General",
                    "object": "teamspace",
                  },
              },
            "id": "eed75a56-ca1b-453b-afd8-73789bc19398",
            "ip_address": "11.22.33.44",
            "platform": "web",
            "timestamp": "2023-12-13 16:20:14.966000000",
            "type": "teamspace.permissions.member_added",
            "workspace_id": "ea65b016-6abc-4dcf-808b-e119617b55d1",
          },
      }
    Name: Member Added
  - ExpectedResult: true
    Log:
      {
        "event":
          {
            "actor":
              {
                "id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
                "object": "user",
                "person": { "email": "malicious.insider@example.com" },
                "type": "person",
              },
            "details":
              {
                "member":
                  {
                    "id": "c16137bb-5078-4eac-b026-5cbd2f9a027a",
                    "object": "user",
                    "person": { "email": "bad.dude@example.com" },
                    "type": "person",
                  },
                "new_role": "owner",
                "target":
                  {
                    "id": "b8db234d-71eb-49e2-a5ed-7935ca764920",
                    "name": "General",
                    "object": "teamspace",
                  },
              },
            "id": "6019b995-0158-4430-8263-89ad7905bd1d",
            "ip_address": "11.22.33.44",
            "platform": "web",
            "timestamp": "2023-12-13 16:38:04.264000000",
            "type": "teamspace.permissions.member_role_updated",
            "workspace_id": "ea65b016-6abc-4dcf-808b-e119617b55d1",
          },
      }
    Name: Owner Added