These different connectors are purpose driven:
MMA (this will be out of support in 2024 and AMA agent is intended to be used for same purpose.)
1. This helps you to ingest logs from Security Events from Event Viewer logs.
2. Log volume is dependent on Audit policy implemented on the machine.
3. Once you bring them into Sentinel, you can write detections and create incidents
4. You ingestion is charged.
1. You need have a valid license as @Kenneth Meyer-Lassen
2. You can ingest the MDE alerts to Sentinel with no additional cost.
3. You have the raw logs available to query in Microsoft Security portal (DeviceEvents, DeviveNetworkEvents etc.,)
4. You can configure the Microsoft 365 Defender connector in Sentinel to get the same logs ingested to Sentinel to support your investigation.
5. Raw logs in defender does not cost you, but ingestion to Sentinel will cost you.