There are multiple ingestion labels defined in SecOps specifically for Windows and Azure AD. Is there a way to find which label to apply for specific events.
For example, whether all windows event channels will be covered by WINEVTLOG_XML, For example ADFS Admin Audit Channel?
Also, when should we use the below labels,
WINDOWS_AD
ADFS
AZURE_AD_SIGNIN (AZURE_AD already covers the sign ins from Entra ID)
