Daily KQL Queries

Hi All,

Curious to hear from those of you in a CIRT/IR/Cyber analyst/Security position or those who are actively handling security at your organization. What are some daily KQL queries or checks you run?

A couple I run are:

1. Windows AV files being quarantined
   1. I like seeing what people are trying to download, and I question the suspicious ones
2. Emails delivered to inbox then moved to quarantine, where users clicked on a link in them
3. Potential drive by download
   1. Work in progress

What's everyone running daily to check for suspicious activity or the unknown?