Only Enterprise workspace owners can install workspace-wide security and compliance integrations. To add a security and compliance integration:
Settings & members→
Your workspace must be on an Enterprise plan.
Only a Workspace Owner can configure security and compliance integrations for a Notion workspace.
You must have admin privileges in the partner tool.
Integrating with a DLP solution will help detect the use of sensitive data in your workspace and take automated action to remediate data breaches quickly by alerting workspace owners, redacting content, or restricting page access.
Supported DLP partners
In Notion, go to
Settings & members→
Connections→ open the
Connect to Nightfall.
Authenticate with your Nightfall credentials.
Disconnecting by partner
In Notion, go to
Settings & members→
Connections→ open the
In the Nightfall application, select
My Integrations, and remove the relevant Notion workspace from the
Integrating with a SIEM solution will bring your Notion audit log information into a shared platform with the rest of your SaaS app logs in order to:
Provide visibility into Notion user and workspace activity in a third-party audit log for better analysis, searches, and correlations.
Configure off-the-shelf alerts on unusual user activity in real-time.
Provide reports and dashboards to support incident investigation.
Note: On the Notion end, we don’t support connecting to any SIEM partner until the partner instance is ready to handle events.
Supported SIEM partners
In Notion, go to
Settings & members→
Connections→ open the
Connect to Datadog.
Note: At this time, one Datadog instance can only be connected to one workspace at most.
Authenticate with your Datadog credentials by selecting your organization.
Log into your Panther console.
In the left side navigation of your Panther Console, select
Notion, then select the Notion tile.
In the slide-out panel, the
Transport Mechanismdropdown in the upper right corner will be pre-populated with the HTTP option. Select
Note: You will be required to use HMAC authentication.
Header Nameassociated with your
Secret Key Valuewill be locked with a value of
Be sure to securely copy your
Secret Key Valueand store it in a safe location. You'll need this to configure the connection in Notion.
Note: Depending on your Splunk instance type, the
Secret codemay vary. Currently, we support Splunk Cloud or Enterprise licenses (not On-Prem).
Webhook URL(HEC URL).
Log into your Splunk instance.
Navigate to the
Search & Reportingapp and select
Datasection, click on
HTTP Event Collector.
Locate the desired HEC configuration and select its name, or create a new one.
On the configuration page, you'll find the HEC URL. Typically, it begins with https:// followed by the hostname or endpoint provided by Splunk, and ends with the HEC token. For example:
Secret code(HEC token) and repeat the steps above.
On the configuration page, you'll find the HEC token, a long alphanumeric string under the
Log into your Sumo Logic instance.
Setup Wizardand select
When presented with
Data Type, select
Your Custom App→
HTTP Source URLinto Notion settings.
Setup tips by partner
To set up most of this integration, you will need to manually provide a webhook URL or token.
Tokenare not required.
Panther: Enter the HTTP Source URL in the
Webhook URLfield and the HMAC Authentication Secret Key Value in the
Splunk: Enter the HTTP Event Collector (HEC) URL in the
Webhook URLfield and the HTTP Event Collector (HEC) token in the
Sumo Logic: Enter the HTTP Event Collector (HEC) URL in the
Webhook URLfield. A token is required.
Below is a comprehensive list of webhook events that will be available in your SIEM platform once you set up the Notion SIEM connection. All events available in your SIEM platform will correspond to an audit log event. The glossary will help you understand the specific events that are being tracked and how they relate to your organization's security posture. Use this information to fine-tune your dashboards, alerts, and incident management processes.
Events are split into five main categories:
Page events: This includes events users take on a single Notion page.
Teamspace events: This includes events users take on one or more teamspaces.
Workspace events: This includes events users take on an entire Notion workspace.
User events: This includes events about accounts of users in the workspace.
Integration events: This includes events about internal integrations associated with the workspace.
For page events, the page audience describes the visibility level of the target page. The audience captured will be one of the following:
Private: The page is not shared with other users.
Internal: The page is shared with other members of the workspace only.
External: The page is shared with one or more guests outside of the workspace and/or with an integration bot.
Public: The page is shared to the web.
SIEM event glossary
workspace.audit_log_exported: A workspace owner exported the workspace’s audit log.
workspace.content_analytics_exported: A workspace owner exported workspace content analytics.
workspace.content_exported: Workspace content for a page or for the entire workspace was exported by a workspace user.
workspace.content_search_exported: The results of a content search for a workspace was exported by a workspace owner.
workspace.content_search_queried: A workspace owner used the admin content search functionality to find workspace content. Content searches can retrieve content from public and private pages.
workspace.domain_management.transfer_request_status_updated: A transfer request for a workspace created by a user with a verified domain was updated. (See this article for more information.)
workspace.external_account_connected: A public/external integration was connected to the workspace.
workspace.external_account_disconnected: A public/external integration was disconnected from the workspace, or a workspace owner removed access to a public integration for all users in the workspace.
workspace.group.permissions.member_added: A workspace owner or membership admin added a new member to a group. A group is a defined collection of workspace members.
workspace.group.permissions.member_removed: A workspace owner or membership admin removed a member from a group.
workspace.integration_added: An integration was added to the workspace for the first time. (This event will only be emitted the first time an integration is added to a workspace.)
workspace.integration_removed: All bots for a specific public integration are removed.
workspace.members_exported: A list of workspace members was exported.
workspace.membership_request_resolved: A membership request from a member to add a new person to the workspace was resolved, i.e. the workspace owner either approved or denied the request.
workspace.permissions.guest_removed: A guest was removed from the workspace by a workspace owner or membership admin.
workspace.permissions.member_added: A user accepted an invite to join a new workspace and have been added to the member list.
workspace.permissions.member_invited: A user was invited to a workspace by a workspace owner or membership admin.
workspace.permissions.member_removed: A member was removed from the workspace by a workspace owner or membership admin.
workspace.permissions.member_role_updated: A member’s role in a workspace was updated. Roles include Member, Membership Admin, Workspace Owner.
workspace.private_content_transferred: The private content of a deprovisioned workspace member was transferred to a new location. Enterprise workspace owners can transfer content from deprovisioned users.
workspace.saml_sso_idp_metadata_url_added: The IdP (Identity Provider) metadata URL was added by a workspace owner.
workspace.saml_sso_idp_metadata_url_updated: The IdP (Identity Provider) metadata URL was updated by a workspace owner.
workspace.saml_sso_idp_metadata_xml_added: The IdP (Identity Provider) metadata XML (Extensible Markup Language) was added by a workspace owner.
workspace.saml_sso_idp_metadata_xml_removed: The IdP (Identity Provider) metadata XML (Extensible Markup Language) was removed by a workspace owner.
workspace.saml_sso_idp_metadata_xml_updated: The IdP (Identity Provider) metadata XML (Extensible Markup Language) was updated by a workspace owner.
teamspace.archived: A teamspace was archived.
teamspace.created: A teamspace was created.
teamspace.permissions.custom_group_role_added: A teamspace owner added custom permissions for a group that is added to the teamspace.
teamspace.permissions.custom_group_role_removed: A teamspace owner removed custom permissions for a group that is added to the teamspace.
teamspace.permissions.custom_group_role_updated: A teamspace owner updated custom permissions for a group that is added to the teamspace.
teamspace.permissions.custom_member_role_added: A teamspace owner added custom page permissions for a specific teamspace member.
teamspace.permissions.custom_member_role_removed: A teamspace owner removed custom page permissions for a specific teamspace member.
teamspace.permissions.custom_member_role_updated: A teamspace owner updated custom page permissions for a specific teamspace member.
teamspace.permissions.default_member_role_updated: The default teamspace page permissions applied to teamspace members was updated.
teamspace.permissions.default_workspace_role_added: A teamspace owner gave page permissions to workspace users in a closed teamspace.
teamspace.permissions.default_workspace_role_removed: A teamspace owner removed page permissions from workspace users in a closed teamspace.
teamspace.permissions.default_workspace_role_updated: A teamspace owner updated the default page permissions for all workspace users in a teamspace.
teamspace.permissions.group_added: A group was added to a teamspace. A group is a defined collection of users.
teamspace.permissions.group_removed: A group was removed from the teamspace by a teamspace owner.
teamspace.permissions.member_added: A user was added to the teamspace. The user either joined an open teamspace or was added by another member. The event payload will specify “as Teamspace owner” if the user was added with teamspace owner privileges.
teamspace.permissions.member_removed: A teamspace member was removed from the teamspace. Removal can be triggered by a member leaving or being removed by a teamspace owner.
teamspace.permissions.member_role_updated: A teamspace member’s role was updated. Roles include Teamspace Member and Teamspace Owner.
teamspace.restored: A previously archived teamspace was restored.
teamspace.settings.allow_content_export_setting_updated: The setting to allow exporting teamspace content was enabled or disabled.
teamspace.settings.allow_guests_setting_updated: A teamspace owner enabled or disabled the ability to add guests (non-members) to a specific teamspace.
teamspace.settings.allow_public_page_sharing_setting_updated: The setting to allow publicly sharing a teamspace page was enabled or disabled by a workspace owner.
teamspace.settings.allow_sidebar_editing_setting_updated: The setting that determines who can edit the sidebar was updated. The setting will indicate if any teamspace member can edit the sidebar or if editing is only available for teamspace owners.
teamspace.settings.default_setting_updated: The teamspace’s default permissions settings were updated.
teamspace.settings.description_updated: The teamspace description was updated.
teamspace.settings.icon_updated: The teamspace icon was updated.
page.button_automation_created: A repeating button automation was created on a page.
page.button_automation_updated: A repeating button automation was updated on a page.
page.content_edited: The content of an existing page was edited by a user. Page content is also known as a block. Content edit events are consolidated into one event every minute while edits are occurring.
page.created: A new page nested under a parent page was created by a user.
page.deleted: A page was deleted by a user. Deleted pages may be restored in the future.
page.discussion.comment.created: A comment on a page was created by a user.
page.discussion.comment.deleted: A comment on a page was deleted by a user.
page.discussion.comment.updated: A comment on a page was edited by a user. Comment edit events are consolidated into one event every minute while edits are occurring.
page.exported: A page was exported to a PDF, HTML, or Markdown file by a user.
page.file_deleted: A file was deleted from the page by a user.
page.file_downloaded: A file in a page was downloaded or opened by a user.
page.file_uploaded: A file was uploaded to a page by a user.
page.moved: A page was relocated by a user, i.e. the page’s parent page updated.
page.permissions.group_role_added: A workspace group’s page permissions were added, which will allow them to access the page.
page.permissions.group_role_removed: A group’s page permissions were removed for a page, which will restrict them from having access to the page.
page.permissions.group_role_updated: A workspace group’s page permissions were updated, changing their type of access.
page.permissions.guest_role_added: A guest’s page permissions were added, which will allow them to access the page.
page.permissions.guest_role_removed: A guest’s page permissions were removed, which will restrict them from having access to the page.
page.permissions.guest_role_updated: A guest’s page permissions were updated, changing their type of access.
page.permissions.integration_role_added: A user added an integration to a page. Integrations of any type — internal or public/external — will trigger this event.
page.permissions.integration_role_removed: A user removed the page permissions for an integration (or “connection”), which will restrict the integration from having access to the page. Integrations of any type — internal or public/external — will trigger this event.
page.permissions.integration_role_updated: A user updated the page permissions of an integration (or “connection”). Integrations of any type — internal or public/external — will trigger this event.
page.permissions.member_role_added: A member’s page permissions were added, which will allow them to access the page.
page.permissions.member_role_removed: A member’s page permissions were removed, which will restrict them from having access to the page.
page.permissions.member_role_updated: A member’s page permissions were updated, changing their type of access.
User and account
user.deleted: A user account was deleted. This event will be sent to any workspace with which the account is associated.
user.login: A user logged into an account.
user.logout: A user logged out of an account.
user.settings.analytics_tracking_setting_updated: A user changed the setting to track whether their workspace or page activity is recorded in workspace analytics.
user.settings.email_updated: A user updated their email in the account settings.
user.settings.login_method.mfa_backup_code_updated: A user updated their MFA (Multi-Factor Authentication) back-up code settings.
user.settings.login_method.mfa_sms_updated: A user updated their MFA (Multi-Factor Authentication) SMS (Short Message Service) settings.
user.settings.login_method.mfa_totp_updated: A user updated their MFA (Multi-Factor Authentication) TOTP (Time-based One-Time Password) settings.
user.settings.login_method.password_added: A user added a password to their account for login purposes.
user.settings.login_method.password_removed: A user removed a password from their account.
user.settings.login_method.password_updated: A user updated their password.
user.settings.preferred_name_updated: A user updated their preferred name in the account settings.
user.settings.profile_photo_updated: A user updated their profile photo in the account settings.
user.settings.support_access_granted: Notion’s support team was granted temporary access to the user’s account.
user.settings.support_access_revoked: Support access to the user’s account was revoked.
integration.created: A developer created an internal integration and associated it with the workspace.
integration.deleted: An internal integration associated with the workspace was deleted. Deletions can occur in the My Integrations dashboard, or an admin can remove access to an internal integration for all users.
integration.secret_reset: The authentication secret for an internal integration was reset (or “refreshed”).
There's a five minute delay built in to prevent these notifications from getting too noisy! Let us know if you still aren't seeing them show up! We'll help out.
Sorry for the confusion 🙈You can't enable the integration from Slack. You'll need to turn it on inside Notion with the instructions on this page.
Notion's integration with Slack operates on a per-page basis. When you enable the Slack integration for a specific page in your Notion workspace, you're granting Notion access to publish updates to the Slack channel of your choosing.
You can! You can do so via
Settings & Members →
My connected apps. For the desired integration, select “Connect another account”.
Note: Some applications do not support multi-account login in the browser (e.g. GitHub), so you might need to logout of whichever account is currently logged in on your browser to be prompted to login with a different account.
We’ll determine which of your accounts to use to preview given resources and show an error if none of them are successful.
Run through these steps to try to resolve.
Confirm you’ve authenticated with the correct account for the resource.
Confirm no access restrictions for your organization.
Try to unfurl again.
Finally, if all else fails, reach out to support! Unfortunately, we cannot help resolve errors related to Access denied or Content not found. Please provide the following information when reaching out to support:
Integration you’re trying to use
Error message and code
URL you’re trying to preview (if possible)
There are two possible reasons for this:
You may not have authenticated with the account that has access. You can connect multiple accounts either through
Settings & Members→
My connected apps, or the error drop down.
Your organization may have limited access to content via 3rd party integrations or IP addresses. Please confirm with your workspace or organization administrator and ask to have Notion’s integration approved if this is the case. Here are instructions for specific integrations: GitHub, Jira, Slack, Asana, Trello.
SIEM integrations will be authorized to receive event logs on all workspace activity.
DLP integrations will be authorized:
to receive event logs on all workspace activity.
to view content, view comments, edit content, edit comments, and create comments in all pages.
to see basic information about all workspace members and guests, including their names, profile images, and email addresses.
Sometimes, the event may appear under a different label or in a different place than where you expect. We recommend triggering a new page event and querying in your SIEM querying language for
email: "[your email address]"for all events triggered by you.
When a new Panther instance is created, it can take up to 10 minutes for it to be fully ready to receive events.
In the event of an outage, you should reach out to your SIEM provider for more information.
SIEM provider can only be connected to a single Notion workspace at this time.
Incorrect webhook URL
Incorrect HMAC or HEC token
Do not have admin privileges in your SIEM provider
SIEM provider is an on-prem instance