Hi
@PhilippeAugras,
Yes these things are possible, depending on the product set and licensing of your client's environment.
Credit cards are a pre-defined sensitive information type (SIT) in Microsoft Information Protection (MIP)
https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitive-information-type-entity-definiti...You can consume SITs in Data Loss/Leakage Policies (DLP). For example, you can create a DLP policy from a template here.
https://compliance.microsoft.com/datalossprevention?viewid=policiesFor credit cards you can use the Financial category, PCI DSS template. Alerts are one of the options under Protection actions in the DLP policy wizard.
As for "alert on upload of any document to an approved web service", there are probably several ways. Microsoft Defender for Cloud Apps (MDCA, formerly MCAS) may be one answer. This seems an unusual use case that might drown your client in alerts, but I note this has clearly occurred to you already. Personally I would be inclined to revisit the "why" part with your client and see if there is a better solution than an alert for every occurrence and how they intend to respond to the alerts. Can you say what the approved web service is? If so, depending on what it is I might be able to give specific instructions for setting it up.
Thanks, Ash
