We would like to be able to set automated actions based on alerts. For example if Box detects anomalous download with a risk score higher than e.g. 60 or a set threshold of number of files, the user’s account will be locked to stop further downloads.

A message should then be sent to the user and IT admin that it has been locked due to anomalous download detection. Then IT need to do a investigate and take action, or reactivate the account if it is a false positive.

The pain point of not having this option is that the current alert is very reactive. Loads of files can be downloaded before we can stop it. We can take disciplinary actions, but the information may still have been stolen or shared, which is an information security issue.