This video show the creation of a Transaction Security Policy for the API Anomaly Real Time Event.  You need to do a policy for each of the Threat Detection Events: https://help.salesforce.com/s/articleView?id=xcloud.real_time_em_threat_detection.htm&type=5 has more information on these events.

 

The criteria is the same for each anomaly event - the Score needs to be 0 or more.

​

You may decide to use a custom email message which can contain information about the user, date/time of the event and other details.​​