LoFP / legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. the desktop and browser applications do not appear to be using the api by default unless integrations are configured.

condition: selection and not 1 of filter_main_*
filter_main_brave:
  Image|endswith: \brave.exe
filter_main_chrome:
  Image:
  - C:\Program Files\Google\Chrome\Application\chrome.exe
  - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
filter_main_edge_1:
- Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\
- Image|endswith: \WindowsApps\MicrosoftEdge.exe
- Image:
  - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  - C:\Program Files\Microsoft\Edge\Application\msedge.exe
filter_main_edge_2:
  Image|endswith:
  - \msedge.exe
  - \msedgewebview2.exe
  Image|startswith:
  - C:\Program Files (x86)\Microsoft\EdgeCore\
  - C:\Program Files\Microsoft\EdgeCore\
filter_main_firefox:
  Image:
  - C:\Program Files\Mozilla Firefox\firefox.exe
  - C:\Program Files (x86)\Mozilla Firefox\firefox.exe
filter_main_ie:
  Image:
  - C:\Program Files (x86)\Internet Explorer\iexplore.exe
  - C:\Program Files\Internet Explorer\iexplore.exe
filter_main_maxthon:
  Image|endswith: \maxthon.exe
filter_main_notion:
  Image|endswith: \AppData\Local\Programs\Notion\Notion.exe
filter_main_opera:
  Image|endswith: \opera.exe
filter_main_safari:
  Image|endswith: \safari.exe
filter_main_seamonkey:
  Image|endswith: \seamonkey.exe
filter_main_vivaldi:
  Image|endswith: \vivaldi.exe
filter_main_whale:
  Image|endswith: \whale.exe
selection:
  DestinationHostname|contains: api.notion.com