To ingest Defender events, I'd recommend our Defender for Endpoint integration. It requires Elastic Agent, so you'll need to spin up an Agent to ingest the events. We also have an M365 Defender integration if that's of interest too.
thanks so much! It helped to an extent, that I can ask next question. Currently I am using 0365.yml (within modules.d) to fetch Azure AD logs. I have set up the windows defender app within Azure tenant (portal) . So is there a different filebeat module I need to add this applicationID /secret details?
Currently the Azure AD logs are fetched using filebeat and the config looks like this: