This detection rule identifies instances where a Notion user exports multiple pages within a single operational timeframe (60 minutes), which may indicate potential data exfiltration behavior. The threshold for triggering this alert is set to 10 pages exported, signaling a significant activity that merits investigation. Given that export functionalities are critical for data movement and management in Notion, monitoring such activities becomes paramount to safeguard sensitive information. The alerting mechanism is centered around Notion's audit logs, specifically looking for events categorized under 'workspace.content_exported'. If the number of exported pages exceeds the established threshold, it triggers a monitoring process that involves reaching out to the user to confirm if the export was conducted for legitimate business purposes.