The rule 'Notion Audit Log Exported' detects instances where a Notion user exports audit logs from an organization’s workspace. It is designed to identify potential data exfiltration activities, facilitating prompt investigation of such actions. The rule relies on audit log data from Notion and is triggered specifically by events of type 'workspace.audit_log_exported'. When the export event occurs, the rule checks if it happens more than once within a 60-minute period, which mitigates false positives from legitimate use cases. The nature of the logs requires data from the Notion API or another integration that can access the audit logs. The severity level is set to medium, prompting organizations to verify the motives behind the export action, ensuring it aligns with business needs. In case of detection, it advises following up with the user involved, providing a clear course of action through a runbook. Documentation on this feature is available at the provided reference link.