![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 46%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
1,296 questions
I believe you will see better aggregation when switching over to the Microsoft 365 Defender (Preview) connector. This connects to M365D rather than the individual services. When you activate this connector it will ask to turn off the other alert forwarding rules that it replaces. You will also have the option to stream the raw logs from the M365D advanced hunting tables. I think you need the SecurityIncidents and SecurityAlerts tables at a minimum. This also provides 2-way alerts integration. These raw tables are not free unfortunately. They will incur ingestion changes. Most of the tables are fairly small but you might find that some tables are more expensive than expected. Definitely monitor ingestion volume/price for a few weeks after activation. Also, there are about a dozen alert rule templates in Sentinel that add additional checks on MDE device tables. Mostly static threat intel checks.