Activity in Root Cause Analysis should generate alerts. I've witnessed on at least one occasion where phishing activity was displayed in Root Cause Analysis for a particular user. It revealed the attack came in through Outlook in the form of a malicious pdf document. The user didn't report this issue, I had to contact the user. They confirmed they received the message and opened the attachment but the content was blocked. In the very least this would represent an opportunity for needed security awareness training directed at the identified user. Perhaps it would make sense to provide the option to have alerts generated from Root Cause Analysis that administrators could toggle on if desired?