We have the tool (Smart Event) to configure all sorts of event activities with alerts. AI is just a term to use machines to act to different events. As mentioned above CP has already created some very interesting views that you can customise as per your needs.
Except from the obvious (to find attack patterns) I can list two interesting findings:
1) Through the views for email activity we have found a spike of requests from a specific IP. With further checks we have found that this was a legitimate email server (not blacklisted or anything) but according to our Sys Admins was sending 100% spam emails. Based on that we have set this IP to our Black List. This IP was new and not listed on any anti spam sites. This was just an example to show that once you dig you will find interesting stuff.
2) Another interesting finding is to find blocked activity from the Internal Network. This is mainly helpful to fine tune you policy and pinpoint issues before they even begin. Ask questions like why this server is trying (blocked) to communicate to this ip address to this port? You will be surprised!
For AI or machine learning I would like to see more feeds from CP on IP reputation and DNS reputation where more intelligence on events will be gathered.