This video show the creation of a Transaction Security Policy for the API Anomaly Real Time Event.  You need to do a policy for each of the Threat Detection Events: https://help.salesforce.com/s/articleView?id=xcloud.real_time_em_threat_detection.htm&type=5 has more information on these events.

 

The criteria is the same for each anomaly event - the Score needs to be 0 or more.

​

You may decide to use a custom email message which can contain information about the user, date/time of the event and other details.​​

​

The user should be your security team and to allow for them to receive the email and not consume a regular user, give the user the Identity license and the Identity User profile and the security team's group email address.