So according to the overview, all of the security alerts come in from Microsoft Graph.
Is there a way to filter out certain events? Or is this a once size fits all, it just pulls it all in?
Microsoft Graph Security API Add-On allows Splunk users to ingest all security alerts for their organization using the Microsoft Graph Security API. Supported products include Azure Advanced Threat Protection, Azure AD Identity Protection, Azure Security Center, Azure Sentinel, Azure Information Protection, Microsoft Cloud App Security, Office Advanced Threat Protection, Defender Advanced Threat Protection and many more - Refer to complete supported product list at http://aka.ms/graphsecurityalerts