This detection rule monitors attempts to log into Notion from an IP address that is known to be blocked. The purpose of the rule is to catch potentially malicious login attempts that violate network access policies. It checks the Notion Audit Logs for entries where a user's login attempt originates from a predetermined list of blocked IP addresses, which are indicated by specific CIDR ranges. The rule is currently disabled and must include appropriate filters to ensure effective operation, including validating that the event's IP address falls within these blocked ranges. The rule is designed to trigger an alert if there is a single unauthorized login attempt, allowing for immediate investigation of the incident. Upon alert generation, the recommended procedure is to confirm with the user whether the login attempt was legitimate, and if confirmed, further investigate the reason for the block of the corresponding IP address.