My architecture is
Splunk Cloud and Splunk Enterprise - search heads and indexers
I have a onprem Heavy forwarder.
I want to try out the Splunk add-on for Microsoft o365 app.
Would it be recommended to install on the Heavy forwarder and have that reach out to o365 to retrieve the audit logs and then send it up to splunk cloud? Or can I have splunk cloud directly connect to my O365 tenant?