Add security and compliance integrations

Add security and compliance integrations
In this Article

Learn how to add security and compliance integrations to your workspace 🔐

Jump to FAQs

Only Enterprise workspace owners can install workspace-wide security and compliance integrations. To add a security and compliance integration:

  • Go to Settings & membersConnections.

  • Open the Workspace tab.

  • Your workspace must be on an Enterprise plan.

  • Only a Workspace Owner can configure security and compliance integrations for a Notion workspace.

  • You must have admin privileges in the partner tool.

Integrating with a DLP solution will help detect the use of sensitive data in your workspace and take automated action to remediate data breaches quickly by alerting workspace owners, redacting content, or restricting page access.

Supported DLP partners

Nightfall AI

  • In Notion, go to Settings & membersConnections → open the Workspace tab.

  • Select Connect on the Nightfall tile → Connect to Nightfall.

  • Authenticate with your Nightfall credentials.

  • You can find additional instructions here, and learn more about the integration here.

Disconnecting by partner

Nightfall AI

  • In Notion, go to Settings & membersConnections → open the Workspace tab.

  • Select ••• beside the Nightfall integration → Disconnect.

  • In the Nightfall application, select Notion in My Integrations, and remove the relevant Notion workspace from the Workspaces list.

Integrating with a SIEM solution will bring your Notion audit log information into a shared platform with the rest of your SaaS app logs in order to:

  • Provide visibility into Notion user and workspace activity in a third-party audit log for better analysis, searches, and correlations.

  • Configure off-the-shelf alerts on unusual user activity in real-time.

  • Provide reports and dashboards to support incident investigation.

Note: On the Notion end, we don’t support connecting to any SIEM partner until the partner instance is ready to handle events.

Supported SIEM partners

Datadog

  • In Notion, go to Settings & membersConnections → open the Workspace tab.

  • Select Connect on the Datadog tile → Connect to Datadog.

    • Note: At this time, one Datadog instance can only be connected to one workspace at most.

  • Authenticate with your Datadog credentials by selecting your organization.

  • You can find additional instructions here.

Panther

  • Log into your Panther console.

  • In the left side navigation of your Panther Console, select ConfigureLog SourcesCreate New.

  • Search for Notion, then select the Notion tile.

  • In the slide-out panel, the Transport Mechanism dropdown in the upper right corner will be pre-populated with the HTTP option. Select Setup.

  • The Header Name associated with your Secret Key Value will be locked with a value of x-notion-signature.

  • Be sure to securely copy your Secret Key Value and store it in a safe location. You'll need this to configure the connection in Notion.

  • You can find additional instructions here.

Splunk

  • Note: Depending on your Splunk instance type, the Webhook URL and Secret code may vary. Currently, we support Splunk Cloud or Enterprise licenses (not On-Prem).

  • Retrieve Webhook URL (HEC URL).

  • Log into your Splunk instance.

  • Navigate to the Search & Reporting app and select Settings.

  • Under the Data section, click on HTTP Event Collector.

  • Locate the desired HEC configuration and select its name, or create a new one.

  • On the configuration page, you'll find the HEC URL. Typically, it begins with https:// followed by the hostname or endpoint provided by Splunk, and ends with the HEC token. For example: https://<your-splunk-instance>.splunkcloud.com:8088/services/collector/event

  • Retrieve the Secret code (HEC token) and repeat the steps above.

  • On the configuration page, you'll find the HEC token, a long alphanumeric string under the Token field.

  • You can find additional instructions here.

Sumo Logic

  • Log into your Sumo Logic instance.

  • Select Manage DataCollection.

  • Navigate to Setup Wizard and select Get started.

  • When presented with Data Type, select Your Custom AppHTTPS Source.

  • Copy the HTTP Source URL into Notion settings.

  • You can find additional instructions here.

Setup tips by partner

To set up most of this integration, you will need to manually provide a webhook URL or token.

  • Datadog: The Webhook URL and Token are not required.

  • Panther: Enter the HTTP Source URL in the Webhook URL field and the HMAC Authentication Secret Key Value in the Token field.

  • Splunk: Enter the HTTP Event Collector (HEC) URL in the Webhook URL field and the HTTP Event Collector (HEC) token in the Token field.

  • Sumo Logic: Enter the HTTP Event Collector (HEC) URL in the Webhook URL field. A token is required.

Below is a comprehensive list of webhook events that will be available in your SIEM platform once you set up the Notion SIEM connection. All events available in your SIEM platform will correspond to an audit log event. The glossary will help you understand the specific events that are being tracked and how they relate to your organization's security posture. Use this information to fine-tune your dashboards, alerts, and incident management processes.

Event types

Events are split into five main categories:

  • Page events: This includes events users take on a single Notion page.

  • Teamspace events: This includes events users take on one or more teamspaces.

  • Workspace events: This includes events users take on an entire Notion workspace.

  • User events: This includes events about accounts of users in the workspace.

  • Integration events: This includes events about internal integrations associated with the workspace.

Page audience

For page events, the page audience describes the visibility level of the target page. The audience captured will be one of the following:

  • Private: The page is not shared with other users.

  • Internal: The page is shared with other members of the workspace only.

  • External: The page is shared with one or more guests outside of the workspace and/or with an integration bot.

  • Public: The page is shared to the web.

SIEM event glossary

Workspace

  • workspace.audit_log_exported: A workspace owner exported the workspace’s audit log.

  • workspace.content_analytics_exported: A workspace owner exported workspace content analytics.

  • workspace.content_exported: Workspace content for a page or for the entire workspace was exported by a workspace user.

  • workspace.content_search_exported: The results of a content search for a workspace was exported by a workspace owner.

  • workspace.content_search_queried: A workspace owner used the admin content search functionality to find workspace content. Content searches can retrieve content from public and private pages.

  • workspace.domain_management.transfer_request_status_updated: A transfer request for a workspace created by a user with a verified domain was updated. (See this article for more information.)

  • workspace.external_account_connected: A public/external integration was connected to the workspace.

  • workspace.external_account_disconnected: A public/external integration was disconnected from the workspace, or a workspace owner removed access to a public integration for all users in the workspace.

  • workspace.group.permissions.member_added: A workspace owner or membership admin added a new member to a group. A group is a defined collection of workspace members.

  • workspace.group.permissions.member_removed: A workspace owner or membership admin removed a member from a group.

  • workspace.integration_added: An integration was added to the workspace for the first time. (This event will only be emitted the first time an integration is added to a workspace.)

  • workspace.integration_removed: All bots for a specific public integration are removed.

  • workspace.members_exported: A list of workspace members was exported.

  • workspace.membership_request_resolved: A membership request from a member to add a new person to the workspace was resolved, i.e. the workspace owner either approved or denied the request.

  • workspace.permissions.guest_removed: A guest was removed from the workspace by a workspace owner or membership admin.

  • workspace.permissions.member_added: A user accepted an invite to join a new workspace and have been added to the member list.

  • workspace.permissions.member_invited: A user was invited to a workspace by a workspace owner or membership admin.

  • workspace.permissions.member_removed: A member was removed from the workspace by a workspace owner or membership admin.

  • workspace.permissions.member_role_updated: A member’s role in a workspace was updated. Roles include Member, Membership Admin, Workspace Owner.

  • workspace.private_content_transferred: The private content of a deprovisioned workspace member was transferred to a new location. Enterprise workspace owners can transfer content from deprovisioned users.

  • workspace.saml_sso_idp_metadata_url_added: The IdP (Identity Provider) metadata URL was added by a workspace owner.

  • workspace.saml_sso_idp_metadata_url_updated: The IdP (Identity Provider) metadata URL was updated by a workspace owner.

  • workspace.saml_sso_idp_metadata_xml_added: The IdP (Identity Provider) metadata XML (Extensible Markup Language) was added by a workspace owner.

  • workspace.saml_sso_idp_metadata_xml_removed: The IdP (Identity Provider) metadata XML (Extensible Markup Language) was removed by a workspace owner.

  • workspace.saml_sso_idp_metadata_xml_updated: The IdP (Identity Provider) metadata XML (Extensible Markup Language) was updated by a workspace owner.

Teamspace

  • teamspace.archived: A teamspace was archived.

  • teamspace.created: A teamspace was created.

  • teamspace.permissions.custom_group_role_added: A teamspace owner added custom permissions for a group that is added to the teamspace.

  • teamspace.permissions.custom_group_role_removed: A teamspace owner removed custom permissions for a group that is added to the teamspace.

  • teamspace.permissions.custom_group_role_updated: A teamspace owner updated custom permissions for a group that is added to the teamspace.

  • teamspace.permissions.custom_member_role_added: A teamspace owner added custom page permissions for a specific teamspace member.

  • teamspace.permissions.custom_member_role_removed: A teamspace owner removed custom page permissions for a specific teamspace member.

  • teamspace.permissions.custom_member_role_updated: A teamspace owner updated custom page permissions for a specific teamspace member.

  • teamspace.permissions.default_member_role_updated: The default teamspace page permissions applied to teamspace members was updated.

  • teamspace.permissions.default_workspace_role_added: A teamspace owner gave page permissions to workspace users in a closed teamspace.

  • teamspace.permissions.default_workspace_role_removed: A teamspace owner removed page permissions from workspace users in a closed teamspace.

  • teamspace.permissions.default_workspace_role_updated: A teamspace owner updated the default page permissions for all workspace users in a teamspace.

  • teamspace.permissions.group_added: A group was added to a teamspace. A group is a defined collection of users.

  • teamspace.permissions.group_removed: A group was removed from the teamspace by a teamspace owner.

  • teamspace.permissions.member_added: A user was added to the teamspace. The user either joined an open teamspace or was added by another member. The event payload will specify “as Teamspace owner” if the user was added with teamspace owner privileges.

  • teamspace.permissions.member_removed: A teamspace member was removed from the teamspace. Removal can be triggered by a member leaving or being removed by a teamspace owner.

  • teamspace.permissions.member_role_updated: A teamspace member’s role was updated. Roles include Teamspace Member and Teamspace Owner.

  • teamspace.restored: A previously archived teamspace was restored.

  • teamspace.settings.allow_content_export_setting_updated: The setting to allow exporting teamspace content was enabled or disabled.

  • teamspace.settings.allow_guests_setting_updated: A teamspace owner enabled or disabled the ability to add guests (non-members) to a specific teamspace.

  • teamspace.settings.allow_public_page_sharing_setting_updated: The setting to allow publicly sharing a teamspace page was enabled or disabled by a workspace owner.

  • teamspace.settings.allow_sidebar_editing_setting_updated: The setting that determines who can edit the sidebar was updated. The setting will indicate if any teamspace member can edit the sidebar or if editing is only available for teamspace owners.

  • teamspace.settings.default_setting_updated: The teamspace’s default permissions settings were updated.

  • teamspace.settings.description_updated: The teamspace description was updated.

  • teamspace.settings.icon_updated: The teamspace icon was updated.

Page

  • page.button_automation_created: A repeating button automation was created on a page.

  • page.button_automation_updated: A repeating button automation was updated on a page.

  • page.content_edited: The content of an existing page was edited by a user. Page content is also known as a block. Content edit events are consolidated into one event every minute while edits are occurring.

  • page.created: A new page nested under a parent page was created by a user.

  • page.deleted: A page was deleted by a user. Deleted pages may be restored in the future.

  • page.discussion.comment.created: A comment on a page was created by a user.

  • page.discussion.comment.deleted: A comment on a page was deleted by a user.

  • page.discussion.comment.updated: A comment on a page was edited by a user. Comment edit events are consolidated into one event every minute while edits are occurring.

  • page.exported: A page was exported to a PDF, HTML, or Markdown file by a user.

  • page.file_deleted: A file was deleted from the page by a user.

  • page.file_downloaded: A file in a page was downloaded or opened by a user.

  • page.file_uploaded: A file was uploaded to a page by a user.

  • page.moved: A page was relocated by a user, i.e. the page’s parent page updated.

  • page.permissions.group_role_added: A workspace group’s page permissions were added, which will allow them to access the page.

  • page.permissions.group_role_removed: A group’s page permissions were removed for a page, which will restrict them from having access to the page.

  • page.permissions.group_role_updated: A workspace group’s page permissions were updated, changing their type of access.

  • page.permissions.guest_role_added: A guest’s page permissions were added, which will allow them to access the page.

  • page.permissions.guest_role_removed: A guest’s page permissions were removed, which will restrict them from having access to the page.

  • page.permissions.guest_role_updated: A guest’s page permissions were updated, changing their type of access.

  • page.permissions.integration_role_added: A user added an integration to a page. Integrations of any type — internal or public/external — will trigger this event.

  • page.permissions.integration_role_removed: A user removed the page permissions for an integration (or “connection”), which will restrict the integration from having access to the page. Integrations of any type — internal or public/external — will trigger this event.

  • page.permissions.integration_role_updated: A user updated the page permissions of an integration (or “connection”). Integrations of any type — internal or public/external — will trigger this event.

  • page.permissions.member_role_added: A member’s page permissions were added, which will allow them to access the page.

  • page.permissions.member_role_removed: A member’s page permissions were removed, which will restrict them from having access to the page.

  • page.permissions.member_role_updated: A member’s page permissions were updated, changing their type of access.

User and account

  • user.deleted: A user account was deleted. This event will be sent to any workspace with which the account is associated.

  • user.login: A user logged into an account.

  • user.logout: A user logged out of an account.

  • user.settings.analytics_tracking_setting_updated: A user changed the setting to track whether their workspace or page activity is recorded in workspace analytics.

  • user.settings.email_updated: A user updated their email in the account settings.

  • user.settings.login_method.mfa_backup_code_updated: A user updated their MFA (Multi-Factor Authentication) back-up code settings.

  • user.settings.login_method.mfa_sms_updated: A user updated their MFA (Multi-Factor Authentication) SMS (Short Message Service) settings.

  • user.settings.login_method.mfa_totp_updated: A user updated their MFA (Multi-Factor Authentication) TOTP (Time-based One-Time Password) settings.

  • user.settings.login_method.password_added: A user added a password to their account for login purposes.

  • user.settings.login_method.password_removed: A user removed a password from their account.

  • user.settings.login_method.password_updated: A user updated their password.

  • user.settings.preferred_name_updated: A user updated their preferred name in the account settings.

  • user.settings.profile_photo_updated: A user updated their profile photo in the account settings.

  • user.settings.support_access_granted: Notion’s support team was granted temporary access to the user’s account.

  • user.settings.support_access_revoked: Support access to the user’s account was revoked.

Integration

  • integration.created: A developer created an internal integration and associated it with the workspace.

  • integration.deleted: An internal integration associated with the workspace was deleted. Deletions can occur in the My Integrations dashboard, or an admin can remove access to an internal integration for all users.

  • integration.secret_reset: The authentication secret for an internal integration was reset (or “refreshed”).

Drata

If your policy content lives in Notion, you can connect Notion with Drata to manage that content. Changes you make to policies in Notion will be synced with Drata.

Note:

  • For the best experience, try to avoid using database blocks in Notion pages that you sync with Drata.

  • You can’t sync any private Notion pages to Drata.

  • If a policy stored in Notion is deleted by a user, you’ll be prompted to import a new file in Drata.

To integrate Notion with Drata:

  1. In Notion, go to Settings & membersConnections → open the Workspace tab.

  2. Select Connect on the Drata tile.

  3. Give Drata permission to access your Notion workspace, then select Allow access.

Learn more about the integration here →


FAQs

I just made updates to a page, but I didn't receive a Slack notification.

There's a five minute delay built in to prevent these notifications from getting too noisy! Let us know if you still aren't seeing them show up! We'll help out.

I'm trying to enable the integration in Slack's App Directory, but it just takes me to Notion's homepage.

Sorry for the confusion 🙈You can't enable the integration from Slack. You'll need to turn it on inside Notion with the instructions on this page.

What permissions are granted when the Slack integration is enabled?

Notion's integration with Slack operates on a per-page basis. When you enable the Slack integration for a specific page in your Notion workspace, you're granting Notion access to publish updates to the Slack channel of your choosing.

Can I add more than one login for a link preview integration?

You can! You can do so via Settings & Members → My connected apps. For the desired integration, select “Connect another account”.

Note: Some applications do not support multi-account login in the browser (e.g. GitHub), so you might need to logout of whichever account is currently logged in on your browser to be prompted to login with a different account.

We’ll determine which of your accounts to use to preview given resources and show an error if none of them are successful.

I’m receiving a general “Can’t load preview” error in my link preview.

Run through these steps to try to resolve.

  1. Confirm you’ve authenticated with the correct account for the resource.

  2. Confirm no access restrictions for your organization.

  3. Delete your integration in Notion via the My connected apps settings. You may also want to revoke the integration the corresponding platform: GitHub, Jira, Slack, Asana, Trello.

  4. Try to unfurl again.

  5. Finally, if all else fails, reach out to support! Unfortunately, we cannot help resolve errors related to Access denied or Content not found. Please provide the following information when reaching out to support:

    • Integration you’re trying to use

    • Error message and code

    • URL you’re trying to preview (if possible)

I’m receiving an “Access denied” or “Content not found” error in my link preview.

There are two possible reasons for this:

  1. You may not have authenticated with the account that has access. You can connect multiple accounts either through Settings & MembersMy connected apps, or the error drop down.

  2. Your organization may have limited access to content via 3rd party integrations or IP addresses. Please confirm with your workspace or organization administrator and ask to have Notion’s integration approved if this is the case. Here are instructions for specific integrations: GitHub, Jira, Slack, Asana, Trello.

What do connections have access to in my workspace?

  • SIEM integrations will be authorized to receive event logs on all workspace activity.

  • DLP integrations will be authorized:

    • to receive event logs on all workspace activity.

    • to view content, view comments, edit content, edit comments, and create comments in all pages.

    • to see basic information about all workspace members and guests, including their names, profile images, and email addresses.

I’m not seeing SIEM events even after connecting. What should I do?

  • Sometimes, the event may appear under a different label or in a different place than where you expect. We recommend triggering a new page event and querying in your SIEM querying language for type: "page.created" or email: "[your email address]" for all events triggered by you.

  • When a new Panther instance is created, it can take up to 10 minutes for it to be fully ready to receive events.

What happens to my SIEM events if my SIEM provider has an outage?

In the event of an outage, you should reach out to your SIEM provider for more information.

Why can’t I connect more than one instance of the same SIEM provider?

SIEM provider can only be connected to a single Notion workspace at this time.

Having trouble setting up your SIEM connections? Here are some common issues.

  • Incorrect webhook URL

  • Incorrect HMAC or HEC token

  • Do not have admin privileges in your SIEM provider

  • SIEM provider is an on-prem instance

Still have more questions? Message support

Give Feedback

Was this resource helpful?