docs: clarify AD log types

README.md

@@ -56,7 +56,7 @@ If you're unsure about what/how to use this module, please fill the [questionnai
 
 - Compliance feature requires `Contributor` subcription-level role, in order to be able to check specific compliance rules.
 - Threat Detection feature requires `Contributor` subscription-level role user assignment
-    - For AD diagnostic `Security Administrator` role must be granted to at Organizational level.
+    - For AD diagnostic on [selected log types](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/blob/master/modules/infrastructure/eventhub/variables.tf#L80) `Security Administrator` role must be granted to at Organizational level.
       Otherwise, it can be disabled setting `deploy_active_directory=false` on all examples
 
 - For scanning, an App (with its Service Principal) is required to be created in the ActiveDirectory, to enable