The detection rule "Notion Page Guest Permissions Changed" is designed to monitor changes to guest permissions on Notion pages. It primarily focuses on identifying when an external guest's permissions are modified, specifically when they are granted full access or when their role changes from read-only to full access. This is critical for maintaining data security and preventing unauthorized information disclosure. The rule utilizes audit logs generated by Notion, categorizing detected events under two types: the addition of guest roles and the modification of existing roles. A key aspect of this detection is its low severity rating, indicating that while changes to guest permissions are important to monitor, they are not likely to result in an immediate security crisis unless exploited. The expected workflow includes reviewing the relevant page to ensure no sensitive information is unnecessarily exposed and taking corrective action if needed. The rule has a deduplication period of 60 minutes, which helps to reduce noise from repeated alerts about similar permission changes within a short timeframe.