MicrosoftHello GabrielNecula
the first thing is to make sure you are getting logs of value and quality. 70% of the sentinel environments i have inherited to maintain have not had the logs value check and been tuned and a lot of this is in the design that is decided for the environment. the main issue with any cloud based SIEM its its easy to ingest logs and forget to tune like we had to with on-premises due to disk space. for example if you have ASA logs then even Cisco recommend tuning down some logs in a events for a SIEM like teardowns. i have seen this type of tuning drop the events by around a 3rd and not have any impact on the Audit or security value of the logs. but does really help customers with there ingestion costs.
the nice thing about this solution is it can be mixed, for for high load e.g sizes or EPS yo can use MSFT Continuous Export exports for the main items and then this solution just for the custom tables, or you can have multiple runbooks that focus on set tables. the API is a limiting factor but the Design of the SIEM needs to be looked at in a whole for what you are trying to achieve.
