The Notion Workspace Exported rule is designed to detect instances where a user exports an entire workspace from Notion, a collaborative workspace and note-taking platform. The detection is triggered by an event logged in the Notion Audit Logs, specifically the event type 'workspace.content_exported'. This rule is crucial for data security as it can indicate potential data exfiltration attempts. When a workspace is exported, it typically contains sensitive information and sensitive user data, making the monitoring of such actions imperative for organizations focused on data protection. The rule is configured to trigger when a user exports a workspace and it records the user's identification details as well as the timestamp of the event. Organizations should follow up on triggered alerts to confirm the legitimacy of the export activity involved, to determine if it aligns with business needs. The severity of this rule is categorized as high due to the possible risks associated with unauthorized data export. The thresholds are set to detect at least one export event within a deduplication period of 60 minutes to avoid repeated notifications for the same event.