Yes. Here's how:
Thanks @jconger it worked.
Can we define sourcetype for sign and audit logs as currently sourcetype is defined which is amdl:diagnosticLogs.
Thanks for quick reply @jconger , you mean i need to update "MICROSOFT.AADIAM/AUDIT" OR "MICROSOFT.AADIAM/SIGNIN" with ?