min read

DoControl Actionable Alerts: Your Dedicated Private Security Team

Imagine if you had a dedicated team that never goes to sleep or takes a break. The team constantly monitors what happens to your organization’s data and makes intelligent cross-referencing between your SaaS applications and your EDR; and can then report on high-risk anomalies and push them to your SIEM/SOAR solution. It seems too good to be true, right?

DoControl monitors the myriad of events coming through your business-critical SaaS applications including Google Drive, Office 365, Slack, Box, Dropbox and many others. The solution sifts through them, applying multiple heuristics to discover “the needle in the haystack” – a potential anomaly hiding within thousands of seemingly standard actions which are part of an organization's normal day-to-day business practices.

Once DoControl discovers a potential anomaly, an alert notification is fired via a webhook to Slack or Microsoft Teams, via email and also within the DoControl platform itself. Alerts are automatically distributed during potential incidents such as sensitive data becoming public, sharing files with an unrecognized domain, exchanging encryption keys via a SaaS application, suspicious bursts of sharing activity and employees sharing internal data with their personal emails, and many more. 

Alerts that notify your security team of configuration drift or specific configuration changes which increase the propensity for data to leak (i.e. SSPM). Automatically identifying and blocking data shares with a known malicious actor – all will be achievable within the DoControl SaaS Security Platform.

As the leader of the Data Analysis team here at DoControl, one of the main challenges we are faced with is to create meaningful and accurate alerts – which are not too noisy. Security teams are already bombarded with far too many false positives and suffering from alert fatigue as it is. We are increasingly leveraging machine learning (ML) to find candidates for alerting. For example, we can scan for a certain time period and use clustering algorithms to find bursts of unusual sharing activities. We also want to measure and record the day-to-day normal activity of similar users and groups, and then use these references as benchmarks to alert on unusual events taking place within the environment.

Alerts can then easily become “Quick Actions:” a single click remediation of the issue the alert pertains to. DoControl provides several 1-click quick action workflows that simplify common use cases that otherwise require a significant amount of manual labor to initiate:


  • Removing all permissions to specific external collaborators; 
  • Changing data ownership; 
  • and turning certain data-points into private, all can be  performed in a single click.

Alternatively, security teams can create an automated workflow to remediate and handle all future events related to that specific event. Through intuitive, no-code conditional logic workflows the DoControl platform enables consistent enforcement and risk remediation across all SaaS applications, many of which cannot be achieved natively in each individual application.‍

Workflows are customizable to specific applications or use cases through a catalog of playbooks (pre-established templates) to meet organizational security program requirements.

DoControl’s alerts are highly customizable. Judging by the risk level a certain scenario poses for your organization, you can assign a risk-index (low/medium/high) per alert type, and also choose which alerts you want to receive by “muting” alerts that are of less interest to your organization. You can also decide which keywords indicate sensitive information in your organization, and tailor the alerts to look at those assets you identify as sensitive. If certain actors or targets are considered safe and you do not wish to be alerted to their activity, they can be easily excluded from the alerting system. This level of customization helps your security team find the appropriate balance of alerts.

Taking a peak behind the curtain, we are hard at work on expanding our alerting capabilities and our alert catalog in the near future, here are some of the capabilities that are on our roadmap:

  • Cross-SaaS data processing and alerting. For example, imagine a malware rampaging through your GDrive and Dropbox drives;
  • Benchmarking by department and actor: knowing what is the normal behavior can help us detect malicious activities;
  • EDR signal to SaaS;
  • SIEM integrations;
  • Security, Orchestration, Automation and Response (SOAR) integrations.

Reach out to your DoControl account team if you’re interested in learning more about how to take advantage of our alerting capabilities. If you’re not a customer, request a demo and get started today.

Gilad has a love affair with SaaS applications that began at his time at Walkme, where he led the Insights group's data analysis activities, serving thousands of B2B clients. He enjoys writing complex queries and developing an expertise in both SaaS usage and automation and complex data schemas, with billions of weekly events flowing in.

Prior to that he was part of several data-science teams: at Woo.io, building a high scale job-matching service for technologists and prior to that at Clearforest (today Refinitiv), a Tel-Aviv data-science and NLP hub serving the financial industry.

DoControl allows him to combine two of his core interests: SaaS events & data security while he says it’s an added bonus getting to work with a super bright and driven group of people.

In his spare time he enjoys jazz concerts and records, playing the piano and spending time with his two kids.

Get updates to your inbox

Our latest tips, insights, and news