Setting up risky signins alerts

Question

We recently received found a risky signin for a user (e.g. IP address was pointing at some location different from actual location) and following investigation it was discovered the user had clicked on a phishing email for some sharepoint document. MFA sessions were revoked and password reset as recovery action, but this type of scenario was only discovered by someone on the team who manually captures risky signin results weekly. So it just so happened we were lucky it was discovered the day of, but next time, maybe a risky signin like this could go by unnoticed and could pose security risk!

Currently Microsoft Defender alerts us when a malware is detetced on an endpoint and we receive emails for those which we start investigating immediately, so we are examining setting up an alerting of some sort similarly for which if a risky signin like this is detected, and wanted to ask here what would be the simplest and best way to setup such alerts?

We use Microsoft Defender, but also contemplating integrating a SIEM like Sentinel.

However, we are trying to find out what value would sentinel really provide us ... if alerts can be setup without the need for sentinel, is it simply through log analytics KQL queries? or just simply using ID protection?

Or would sentinel be best suited for something like this?

I came across this for example but it just shows querying but not really how that can be used to set up alerts

https://jeffreyappel.nl/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics/

So we are trying to find out the best approach to implement this and what value would a SIEM like sentinel then provide if this can just be done with log analytics or ID protection...