This detection rule monitors for instances where a user generates a SCIM (System for Cross-domain Identity Management) token within the Notion application. SCIM is often used to manage user identities and group memberships, and the generation of a SCIM token can signify an action that may enable broader access or privileges within the workspace. The rule is set at a medium severity level, indicating it potentially represents an initial phase of a security incident such as unauthorized access attempts or configuration changes that may not align with organizational policies. The logs capturing this event are sourced from Notion's audit logs, and any alert triggered will prompt an inquiry into the validity of the action by contacting the user involved. Given the attack vectors that could exploit such capabilities, timely identifier alerts such as this play a critical role in maintaining the security integrity in applications like Notion.