Another common scenario is to alert an operations team whenever specific activity occurs. An example would include any one of the following:

• Notifying a user who shared a document externally
• Blocking unauthorized administrators
• Blocking a potentially compromised account that is performing a suspicious activity

To do that, administrators can leverage Activity Alerts, which allows them to create rules based on conditions comprised of the following:

• Activities to be performed by one or more users
• Users who are under investigation

Whenever a user does anything that trips an alert, an email will be sent to the recipient configured in the alert, notifying them about the flagged activity. From here, the administrator can open the audit log search in Security & Compliance Center to review and investigate user activities.

The following screenshot shows an example of a notification email:

Administrators can automate activities that will be taken in the service whenever a set of actions occur. To accomplish this, they can leverage Cloud App Security (CAS). CAS allows administrators to create policies to perform actions such as the following:

• Suspending a user
• Requiring a user to sign in again
• Notifying a user

So, for example, a user triggers a specific activity alert that warrants that user to be suspended. Instead of an administrator performing the suspension manually, Cloud App Security can execute a workflow to automatically take action. 

Administrators can also review alerts that were triggered and take action when appropriate, as shown in the following screenshot:

There are multiple ways to filter the results, such as by resolution status, category, and severity. Administrators can also export the results.