Currently Microsoft 365 Unified Audit Logs are ingested through ITDR and stored in SIEM but this is only ingesting the AzureActiveDirectory and Exchange UAL workloads. It would be nice to see this expanded out to include all UAL workloads, especially SharePoint, Onedrive, and Teams. This would be a huge help for investigating account compromise incidents to get a full picture of all activity performed by a threat actor before containment (if it wasn't outright prevented by ITDR of course). Maybe even make this a standalone integration for clients who want SIEM but not ITDR? It would also be nice to see the parsing improved. Especially parsing out the session ids more reliably as in my experience so far those are often still contained in the itdr.DeviceProperties or raw message field rather than the itdr.sessionid field.