Microsoft
MicrosoftThanks Mark-Resnik . If you are in the context of a single tenant, then yes, I would enable 1st party connectors in the central SOC workspace and define the Microsoft rules there. These wouldn't benefit from cross-workspace correlation as you ingest the logs for the whole tenant in a single workspace.
As for Fusion/ML Behavior Analytics rules, not sure if there would be benefits to correlating data from different workspaces. For example, Fusion uses mostly MCAS and Identity Protection sources for now, so it would only make sense to enable that rule in the tenant where those logs are being sent, and this should be a single workspace. It is true that it also supports PaloAlto/MDATP logs for a couple of detections, and it that case I agree that correlation would be beneficial. For ML Behavior Analytics, it is based on syslog from individual machines, so I don't think correlation across workspaces would be needed and the recommendation would be to enable on every workspace where syslog is being collected as instructed here: https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog?WT.mc_id=Portal-fx#configure-the-syslog-connector-for-anomalous-ssh-login-detection
Adding Koby Koren and SharonXia for visibility