Advanced threat controls send an alert to the administrator when matched system activity is detected or blocked.
As LotL attacks generally occur without their knowledge, end users will not be notified when matched system activity is detected or blocked. If an end user does engage in controlled activity, they may receive a native macOS notification stating they are prevented from doing so.
In both cases, an administrator can view alerts in the Alerts page, through data-forwarding services, or by streaming directly to a SIEM.