I would agree, the securityevents is what matters. I reviewed in detail the filebeat o365 module that leverages the microsoft management api. It has some alerts from the securitycompliance scheme but it is missing many other alerts such as the identity protection alerts.