Security Alerts generated from MCAS should contain the user principal name and IP address as fields, at a minimum. In some alerts this info is in the entities field, but it is difficult to extract into its own field. In other alerts it is not present. Should be their own field to make building alert rules and automation easier.
Also, I would like the ability to query the events that show up in the Activity Log in MCAS in Sentinel to build custom alert rules.