diff --git a/rules/notion_rules/notion_account_changed_after_login.yml b/rules/notion_rules/notion_account_changed_after_login.yml
index c3f6d1609..59cf99205 100644
--- a/rules/notion_rules/notion_account_changed_after_login.yml
+++ b/rules/notion_rules/notion_account_changed_after_login.yml
@@ -14,6 +14,7 @@ Description: A Notion User logged in then changed their account details.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible account takeover. Follow up with the Notion User to determine if this email change is genuine.
+Reference: https://www.notion.so/help/account-settings
 Tests:
     - # This unit test is to make sure the logic for handling login events successfully results in
       #   caching the login info. The outputted title/alert_context are not important.
diff --git a/rules/notion_rules/notion_login_from_blocked_ip.yml b/rules/notion_rules/notion_login_from_blocked_ip.yml
index b32b63256..af4e2134b 100644
--- a/rules/notion_rules/notion_login_from_blocked_ip.yml
+++ b/rules/notion_rules/notion_login_from_blocked_ip.yml
@@ -14,3 +14,4 @@ Description: "A user attempted to access Notion from a blocked IP address. Note:
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Confirm with user if the login was legitimate. If so, determine why the IP is blocked.
+Reference: https://www.notion.so/help/allowlist-ip
diff --git a/rules/notion_rules/notion_login_from_new_location.yml b/rules/notion_rules/notion_login_from_new_location.yml
index d3461b477..8cf3202d4 100644
--- a/rules/notion_rules/notion_login_from_new_location.yml
+++ b/rules/notion_rules/notion_login_from_new_location.yml
@@ -14,6 +14,7 @@ Description: A Notion User logged in from a new location.
 DedupPeriodMinutes: 60
 Threshold: 1 # Number of pages deleted; please change this value to suit your organization's needs.
 Runbook: Possible account takeover. Follow up with the Notion User to determine if this login is genuine.
+Reference: https://ipinfo.io/products/ip-geolocation-api
 Tests:
     - Name: Login from normal location
       ExpectedResult: false
diff --git a/rules/notion_rules/notion_many_pages_deleted.yml b/rules/notion_rules/notion_many_pages_deleted.yml
index ef5ba1205..81257217b 100644
--- a/rules/notion_rules/notion_many_pages_deleted.yml
+++ b/rules/notion_rules/notion_many_pages_deleted.yml
@@ -14,6 +14,7 @@ Description: A Notion User deleted multiple pages.
 DedupPeriodMinutes: 60
 Threshold: 10 # Number of pages deleted; please change this value to suit your organization's needs.
 Runbook: Possible Data Destruction. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/duplicate-delete-and-restore-content
 Tests:
     - Name: Other Event
       ExpectedResult: false
diff --git a/rules/notion_rules/notion_many_pages_exported.yml b/rules/notion_rules/notion_many_pages_exported.yml
index fb5f13740..010245809 100644
--- a/rules/notion_rules/notion_many_pages_exported.yml
+++ b/rules/notion_rules/notion_many_pages_exported.yml
@@ -14,6 +14,7 @@ Description: A Notion User exported multiple pages.
 DedupPeriodMinutes: 60
 Threshold: 10 # Number of pages exported; please change this value to suit your organization's needs.
 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/export-your-content
 Tests:
     - Name: Other Event
       ExpectedResult: false
diff --git a/rules/notion_rules/notion_page_accessible_to_api.yml b/rules/notion_rules/notion_page_accessible_to_api.yml
index 288174f6e..4f8ba6c0c 100644
--- a/rules/notion_rules/notion_page_accessible_to_api.yml
+++ b/rules/notion_rules/notion_page_accessible_to_api.yml
@@ -14,3 +14,4 @@ Description: "A new API integration was added to a Notion page, or it's permissi
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Potential information exposure - review the shared page and rectify if needed.
+Reference: https://www.notion.so/help/sharing-and-permissions
diff --git a/rules/notion_rules/notion_page_accessible_to_guests.yml b/rules/notion_rules/notion_page_accessible_to_guests.yml
index ec3ef9fdf..53db176be 100644
--- a/rules/notion_rules/notion_page_accessible_to_guests.yml
+++ b/rules/notion_rules/notion_page_accessible_to_guests.yml
@@ -14,6 +14,7 @@ Description: The external guest permissions for a Notion page have been altered.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Potential information exposure - review the shared page and rectify if needed.
+Reference: https://www.notion.so/help/sharing-and-permissions
 Tests:
   - Name: Guest Role Added
     ExpectedResult: true
diff --git a/rules/notion_rules/notion_page_shared_to_web.yml b/rules/notion_rules/notion_page_shared_to_web.yml
index 620d59920..777237005 100644
--- a/rules/notion_rules/notion_page_shared_to_web.yml
+++ b/rules/notion_rules/notion_page_shared_to_web.yml
@@ -14,3 +14,4 @@ Description: A Notion User published a page to the web.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Potential information exposure - review the shared page and rectify if needed.
+Reference: https://www.notion.so/help/public-pages-and-web-publishing
diff --git a/rules/notion_rules/notion_page_view_impossible_travel.yml b/rules/notion_rules/notion_page_view_impossible_travel.yml
index f7ecce6d3..3d9f98fe3 100644
--- a/rules/notion_rules/notion_page_view_impossible_travel.yml
+++ b/rules/notion_rules/notion_page_view_impossible_travel.yml
@@ -15,6 +15,7 @@ Description: A Notion User viewed a page from 2 locations simultaneously
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible account compromise. Review activity of this user.
+Reference: https://raxis.com/blog/simultaneous-sessions/
 Tests:
   - Name: Normal Page View
     ExpectedResult: False
diff --git a/rules/notion_rules/notion_scim_token_generated.yml b/rules/notion_rules/notion_scim_token_generated.yml
index b30115211..e13e18c44 100644
--- a/rules/notion_rules/notion_scim_token_generated.yml
+++ b/rules/notion_rules/notion_scim_token_generated.yml
@@ -14,6 +14,7 @@ Severity: Medium
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible Initial Access. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/provision-users-and-groups-with-scim
 Tests:
     - ExpectedResult: false
       Log:
diff --git a/rules/notion_rules/notion_workspace_audit_log_exported.yml b/rules/notion_rules/notion_workspace_audit_log_exported.yml
index f18a3a767..6c80f8550 100644
--- a/rules/notion_rules/notion_workspace_audit_log_exported.yml
+++ b/rules/notion_rules/notion_workspace_audit_log_exported.yml
@@ -14,6 +14,7 @@ Description: A Notion User exported audit logs for your organization’s workspa
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/audit-log#export-your-audit-log
 Tests:
     - Name: Other Event
       ExpectedResult: false
diff --git a/rules/notion_rules/notion_workspace_exported.yml b/rules/notion_rules/notion_workspace_exported.yml
index 2232647de..c40f7ec5c 100644
--- a/rules/notion_rules/notion_workspace_exported.yml
+++ b/rules/notion_rules/notion_workspace_exported.yml
@@ -14,6 +14,7 @@ Description: A Notion User exported an existing workspace.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/workspace-settings#export-an-entire-workspace
 Tests:
     - Name: Workspace Exported
       ExpectedResult: true
diff --git a/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml b/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml
index 199009e77..a81cbe9c0 100644
--- a/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml
+++ b/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml
@@ -14,6 +14,7 @@ Description: A Notion User changed settings to enforce SAML SSO configurations f
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook:  Follow up with the Notion User to determine if this was done for a valid business reason and to ensure these settings get re-enabled quickly for best security practices.
+Reference: https://www.notion.so/help/saml-sso-configuration
 Tests:
     - Name: Other Event
       ExpectedResult: false
diff --git a/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml b/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml
index 221c8ca0b..0147311d7 100644
--- a/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml
+++ b/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml
@@ -14,6 +14,7 @@ Description: A Notion page was set to public in your worksace.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: A Notion page was made public. Check with the author to determine why this page was made public.
+Reference: https://www.notion.so/help/public-pages-and-web-publishing
 Tests:
   - Name: Public page added
     ExpectedResult: true