Add security and compliance integrations

Only Enterprise workspace owners can install workspace-wide security and compliance integrations. To add a security and compliance integration:

• Go to Settings & members → Connections.

• Open the Workspace tab.

• Your workspace must be on an Enterprise plan.

• Only a Workspace Owner can configure security and compliance integrations for a Notion workspace.

• You must have admin privileges in the partner tool.

Integrating with a DLP solution will help detect the use of sensitive data in your workspace and take automated action to remediate data breaches quickly by alerting workspace owners, redacting content, or restricting page access.

Nightfall AI

• In Notion, go to Settings & members → Connections → open the Workspace tab.

• Select Connect on the Nightfall tile → Connect to Nightfall.

• Authenticate with your Nightfall credentials.

• You can find additional instructions here, and learn more about the integration here.

Nightfall AI

• In Notion, go to Settings & members → Connections → open the Workspace tab.

• Select ••• beside the Nightfall integration → Disconnect.

• In the Nightfall application, select Notion in My Integrations, and remove the relevant Notion workspace from the Workspaces list.

Integrating with a SIEM solution will bring your Notion audit log information into a shared platform with the rest of your SaaS app logs in order to:

• Provide visibility into Notion user and workspace activity in a third-party audit log for better analysis, searches, and correlations.

• Configure off-the-shelf alerts on unusual user activity in real-time.

• Provide reports and dashboards to support incident investigation.

Datadog

• In Notion, go to Settings & members → Connections → open the Workspace tab.

• Select Connect on the Datadog tile → Connect to Datadog.

  • Note: At this time, one Datadog instance can only be connected to one workspace at most.

• Authenticate with your Datadog credentials by selecting your organization.

• You can find additional instructions here.

Panther

• Log into your Panther console.

• In the left side navigation of your Panther Console, select Configure → Log Sources → Create New.

• Search for Notion, then select the Notion tile.

• In the slide-out panel, the Transport Mechanism dropdown in the upper right corner will be pre-populated with the HTTP option. Select Setup.

• Follow Panther's instructions for configuring an HTTP Source.

  • Note: You will be required to use HMAC authentication.

• The Header Name associated with your Secret Key Value will be locked with a value of x-notion-signature.

• Be sure to securely copy your Secret Key Value and store it in a safe location. You'll need this to configure the connection in Notion.

• You can find additional instructions here.

Splunk

• Note: Depending on your Splunk instance type, the Webhook URL and Secret code may vary. Currently, we support Splunk Cloud or Enterprise licenses (not On-Prem).

• Retrieve Webhook URL (HEC URL).

• Log into your Splunk instance.

• Navigate to the Search & Reporting app and select Settings.

• Under the Data section, click on HTTP Event Collector.

• Locate the desired HEC configuration and select its name, or create a new one.

• On the configuration page, you'll find the HEC URL. Typically, it begins with https:// followed by the hostname or endpoint provided by Splunk, and ends with the HEC token. For example: https://<your-splunk-instance>.splunkcloud.com:8088/services/collector/event

• Retrieve the Secret code (HEC token) and repeat the steps above.

• On the configuration page, you'll find the HEC token, a long alphanumeric string under the Token field.

• You can find additional instructions here.

Sumo Logic

• Log into your Sumo Logic instance.

• Select Manage Data → Collection.

• Navigate to Setup Wizard and select Get started.

• When presented with Data Type, select Your Custom App → HTTPS Source.

• Copy the HTTP Source URL into Notion settings.

• You can find additional instructions here.

To set up most of this integration, you will need to manually provide a webhook URL or token.

• Datadog: The Webhook URL and Token are not required.

• Panther: Enter the HTTP Source URL in the Webhook URL field and the HMAC Authentication Secret Key Value in the Token field.

• Splunk: Enter the HTTP Event Collector (HEC) URL in the Webhook URL field and the HTTP Event Collector (HEC) token in the Token field.

• Sumo Logic: Enter the HTTP Event Collector (HEC) URL in the Webhook URL field. A token is required.

Below is a comprehensive list of webhook events that will be available in your SIEM platform once you set up the Notion SIEM connection. All events available in your SIEM platform will correspond to an audit log event. The glossary will help you understand the specific events that are being tracked and how they relate to your organization's security posture. Use this information to fine-tune your dashboards, alerts, and incident management processes.

Events are split into five main categories:

• Page events: This includes events users take on a single Notion page.

• Teamspace events: This includes events users take on one or more teamspaces.

• Workspace events: This includes events users take on an entire Notion workspace.

• User events: This includes events about accounts of users in the workspace.

• Integration events: This includes events about internal integrations associated with the workspace.

For page events, the page audience describes the visibility level of the target page. The audience captured will be one of the following:

• Private: The page is not shared with other users.

• Internal: The page is shared with other members of the workspace only.

• External: The page is shared with one or more guests outside of the workspace and/or with an integration bot.

• Public: The page is shared to the web.

Workspace

• workspace.audit_log_exported: A workspace owner exported the workspace’s audit log.

• workspace.content_analytics_exported: A workspace owner exported workspace content analytics.

• workspace.content_exported: Workspace content for a page or for the entire workspace was exported by a workspace user.

• workspace.content_search_exported: The results of a content search for a workspace was exported by a workspace owner.

• workspace.content_search_queried: A workspace owner used the admin content search functionality to find workspace content. Content searches can retrieve content from public and private pages.

• workspace.domain_management.transfer_request_status_updated: A transfer request for a workspace created by a user with a verified domain was updated. (See this article for more information.)

• workspace.external_account_connected: A public/external integration was connected to the workspace.

• workspace.external_account_disconnected: A public/external integration was disconnected from the workspace, or a workspace owner removed access to a public integration for all users in the workspace.

• workspace.group.permissions.member_added: A workspace owner or membership admin added a new member to a group. A group is a defined collection of workspace members.

• workspace.group.permissions.member_removed: A workspace owner or membership admin removed a member from a group.

• workspace.integration_added: An integration was added to the workspace for the first time. (This event will only be emitted the first time an integration is added to a workspace.)

• workspace.integration_removed: All bots for a specific public integration are removed.

• workspace.members_exported: A list of workspace members was exported.

• workspace.membership_request_resolved: A membership request from a member to add a new person to the workspace was resolved, i.e. the workspace owner either approved or denied the request.

• workspace.permissions.guest_removed: A guest was removed from the workspace by a workspace owner or membership admin.

• workspace.permissions.member_added: A user accepted an invite to join a new workspace and have been added to the member list.

• workspace.permissions.member_invited: A user was invited to a workspace by a workspace owner or membership admin.

• workspace.permissions.member_removed: A member was removed from the workspace by a workspace owner or membership admin.

• workspace.permissions.member_role_updated: A member’s role in a workspace was updated. Roles include Member, Membership Admin, Workspace Owner.

• workspace.private_content_transferred: The private content of a deprovisioned workspace member was transferred to a new location. Enterprise workspace owners can transfer content from deprovisioned users.

• workspace.saml_sso_idp_metadata_url_added: The IdP (Identity Provider) metadata URL was added by a workspace owner.

• workspace.saml_sso_idp_metadata_url_updated: The IdP (Identity Provider) metadata URL was updated by a workspace owner.

• workspace.saml_sso_idp_metadata_xml_added: The IdP (Identity Provider) metadata XML (Extensible Markup Language) was added by a workspace owner.

• workspace.saml_sso_idp_metadata_xml_removed: The IdP (Identity Provider) metadata XML (Extensible Markup Language) was removed by a workspace owner.

• workspace.saml_sso_idp_metadata_xml_updated: The IdP (Identity Provider) metadata XML (Extensible Markup Language) was updated by a workspace owner.

Teamspace

• teamspace.archived: A teamspace was archived.

• teamspace.created: A teamspace was created.

• teamspace.permissions.custom_group_role_added: A teamspace owner added custom permissions for a group that is added to the teamspace.

• teamspace.permissions.custom_group_role_removed: A teamspace owner removed custom permissions for a group that is added to the teamspace.

• teamspace.permissions.custom_group_role_updated: A teamspace owner updated custom permissions for a group that is added to the teamspace.

• teamspace.permissions.custom_member_role_added: A teamspace owner added custom page permissions for a specific teamspace member.

• teamspace.permissions.custom_member_role_removed: A teamspace owner removed custom page permissions for a specific teamspace member.

• teamspace.permissions.custom_member_role_updated: A teamspace owner updated custom page permissions for a specific teamspace member.

• teamspace.permissions.default_member_role_updated: The default teamspace page permissions applied to teamspace members was updated.

• teamspace.permissions.default_workspace_role_added: A teamspace owner gave page permissions to workspace users in a closed teamspace.

• teamspace.permissions.default_workspace_role_removed: A teamspace owner removed page permissions from workspace users in a closed teamspace.

• teamspace.permissions.default_workspace_role_updated: A teamspace owner updated the default page permissions for all workspace users in a teamspace.

• teamspace.permissions.group_added: A group was added to a teamspace. A group is a defined collection of users.

• teamspace.permissions.group_removed: A group was removed from the teamspace by a teamspace owner.

• teamspace.permissions.member_added: A user was added to the teamspace. The user either joined an open teamspace or was added by another member. The event payload will specify “as Teamspace owner” if the user was added with teamspace owner privileges.

• teamspace.permissions.member_removed: A teamspace member was removed from the teamspace. Removal can be triggered by a member leaving or being removed by a teamspace owner.

• teamspace.permissions.member_role_updated: A teamspace member’s role was updated. Roles include Teamspace Member and Teamspace Owner.

• teamspace.restored: A previously archived teamspace was restored.

• teamspace.settings.allow_content_export_setting_updated: The setting to allow exporting teamspace content was enabled or disabled.

• teamspace.settings.allow_guests_setting_updated: A teamspace owner enabled or disabled the ability to add guests (non-members) to a specific teamspace.

• teamspace.settings.allow_public_page_sharing_setting_updated: The setting to allow publicly sharing a teamspace page was enabled or disabled by a workspace owner.

• teamspace.settings.allow_sidebar_editing_setting_updated: The setting that determines who can edit the sidebar was updated. The setting will indicate if any teamspace member can edit the sidebar or if editing is only available for teamspace owners.

• teamspace.settings.default_setting_updated: The teamspace’s default permissions settings were updated.

• teamspace.settings.description_updated: The teamspace description was updated.

• teamspace.settings.icon_updated: The teamspace icon was updated.

Page

• page.button_automation_created: A repeating button automation was created on a page.

• page.button_automation_updated: A repeating button automation was updated on a page.

• page.content_edited: The content of an existing page was edited by a user. Page content is also known as a block. Content edit events are consolidated into one event every minute while edits are occurring.

• page.created: A new page nested under a parent page was created by a user.

• page.deleted: A page was deleted by a user. Deleted pages may be restored in the future.

• page.discussion.comment.created: A comment on a page was created by a user.

• page.discussion.comment.deleted: A comment on a page was deleted by a user.

• page.discussion.comment.updated: A comment on a page was edited by a user. Comment edit events are consolidated into one event every minute while edits are occurring.

• page.exported: A page was exported to a PDF, HTML, or Markdown file by a user.

• page.file_deleted: A file was deleted from the page by a user.

• page.file_downloaded: A file in a page was downloaded or opened by a user.

• page.file_uploaded: A file was uploaded to a page by a user.

• page.moved: A page was relocated by a user, i.e. the page’s parent page updated.

• page.permissions.group_role_added: A workspace group’s page permissions were added, which will allow them to access the page.

• page.permissions.group_role_removed: A group’s page permissions were removed for a page, which will restrict them from having access to the page.

• page.permissions.group_role_updated: A workspace group’s page permissions were updated, changing their type of access.

• page.permissions.guest_role_added: A guest’s page permissions were added, which will allow them to access the page.

• page.permissions.guest_role_removed: A guest’s page permissions were removed, which will restrict them from having access to the page.

• page.permissions.guest_role_updated: A guest’s page permissions were updated, changing their type of access.

• page.permissions.integration_role_added: A user added an integration to a page. Integrations of any type — internal or public/external — will trigger this event.

• page.permissions.integration_role_removed: A user removed the page permissions for an integration (or “connection”), which will restrict the integration from having access to the page. Integrations of any type — internal or public/external — will trigger this event.

• page.permissions.integration_role_updated: A user updated the page permissions of an integration (or “connection”). Integrations of any type — internal or public/external — will trigger this event.

• page.permissions.member_role_added: A member’s page permissions were added, which will allow them to access the page.

• page.permissions.member_role_removed: A member’s page permissions were removed, which will restrict them from having access to the page.

• page.permissions.member_role_updated: A member’s page permissions were updated, changing their type of access.

User and account

• user.deleted: A user account was deleted. This event will be sent to any workspace with which the account is associated.

• user.login: A user logged into an account.

• user.logout: A user logged out of an account.

• user.settings.analytics_tracking_setting_updated: A user changed the setting to track whether their workspace or page activity is recorded in workspace analytics.

• user.settings.email_updated: A user updated their email in the account settings.

• user.settings.login_method.mfa_backup_code_updated: A user updated their MFA (Multi-Factor Authentication) back-up code settings.

• user.settings.login_method.mfa_sms_updated: A user updated their MFA (Multi-Factor Authentication) SMS (Short Message Service) settings.

• user.settings.login_method.mfa_totp_updated: A user updated their MFA (Multi-Factor Authentication) TOTP (Time-based One-Time Password) settings.

• user.settings.login_method.password_added: A user added a password to their account for login purposes.

• user.settings.login_method.password_removed: A user removed a password from their account.

• user.settings.login_method.password_updated: A user updated their password.

• user.settings.preferred_name_updated: A user updated their preferred name in the account settings.

• user.settings.profile_photo_updated: A user updated their profile photo in the account settings.

• user.settings.support_access_granted: Notion’s support team was granted temporary access to the user’s account.

• user.settings.support_access_revoked: Support access to the user’s account was revoked.

Integration

• integration.created: A developer created an internal integration and associated it with the workspace.

• integration.deleted: An internal integration associated with the workspace was deleted. Deletions can occur in the My Integrations dashboard, or an admin can remove access to an internal integration for all users.

• integration.secret_reset: The authentication secret for an internal integration was reset (or “refreshed”).