Obviously, I would like to use the "best" one; the "easiest" one or the one that is most-current or best-supported. How can I tell which one that is? An installation/user guide would be great, too. This is for Common Information Model with Enterprise Security.
If you want to pull security alerts from all things ATP and have them mapped to CIM look no furher than “Microsoft Graph Security API Add-On for Splunk”. Maintained by MS!
My TA allows you to schedule KQL queries for more subtle endpoint telemetry stuff like “this and this file appeared in this directory”. For example macro files in office startup dirs. Oh and I don’t map to CIM because the telemetry data is way too varied.