Created Policy - What is the difference: Alerts vs Activity?

SergioT1228 Great question! The activity log will be a view of all the activities performed in your connected applications. This could range from a log on, file download, task creation, etc where as an alert will notify you of a potential threat in your cloud environment.

The reason why you may be seeing more failed log ons in activity log vs. in the alert panel is because sometimes failed logins can be normal behavior (i.e. user forgetting their password). This could also depend on how you've scoped your policy i.e. alert on 10 repeated failed log-ons in a 5 min time interval would only result in 1 alert but 10 entries in activity log. There is also specific anomaly detection policy based off of User Entity Behavior Analytics (UEBA), where MCAS studies the behavior of the user for 7 days and establishes a baseline for each user and will alert on any unusual behavior. 

Investigating multiple failed logon attempts: https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts#multiple-failed-login-attempts

Activities in MCAS: https://docs.microsoft.com/en-us/cloud-app-security/activity-filters

Does that answer your question?