This rule monitors changes to the SAML Single Sign-On (SSO) configuration settings in Notion's workspace. When a Notion user modifies the settings to enforce SAML SSO, it triggers an alert. This is significant because SAML SSO enhances security by ensuring that only authenticated users can access workspace contents. The rule specifies that changes to enforce SAML SSO are critical for security, and any alteration could potentially weaken access controls within the organization. The analysis includes a deduction period of 60 minutes, meaning multiple alerts on the same change within that timeframe would be deduplicated. Alongside the main configuration change event, the rule includes tests for both enabling and disabling the SAML SSO settings. It's essential for compliance and security audits to follow up on these changes, as sudden modifications may indicate unauthorized actions or misconfigurations that need addressing promptly. The rule categorically emphasizes the importance of verifying such changes to maintain secure credential management practices.