It looks like you're new here. If you want to get involved, click one of these buttons!
All internal devices referenced in the alarms were using some form of Microsoft Office 365 and all but 1 were IOS or OSX devices.
When looking through the raw logs, I see a lot of traffic (as expected) between internal hosts and these IP addresses. However, the majority of that traffic has not generated alarms.
I'm not an expert at Suricata rules but when I searched through the pcap of the events that triggered the alarms, it seemed that the content matching was not functioning as the author expected it to.