You would need Azure Lighthouse for that.

I imagine that you can, but I have never done it. If I was to, I would start by investigating how to ingest data into whatever tool you want to use for analysis and then figure out how to extract the data from the unified audit log (probably with PowerShell) for ingestion and processing.

Looks like you need a separate workspace per tenant: https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants

How? Only single-tenant connection is allowed. You cannot use data from other tenants:

2. Previously connected tenants
Microsoft Sentinel now enables Office 365 single-tenant connection. You can modify your previously connected tenants and click Save.

I imagine that a Sentinel connector would be the right way: https://learn.microsoft.com/en-us/azure/sentinel/connect-data-sources

Great article.

If I have 2 tenants, can I ingest data from Tenant A into Sentinel of Tenant B? I cannot find such an option in the Data Connector. Is there a way to customize it?

Here’s an example of using the audit log to track SharePoint file deletions: https://office365itpros.com/2021/12/16/sharepoint-online-deletion/

I don’t think you can customize the set of operations ingested from SharePoint into Sentinel. It seems like the connector takes what it can.

As to the KQL query, check out https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data to find out how to build KQL queries. And this article from Thijs, of course: https://practical365.com/use-kql-to-master-sentinel-data/

Another way to attack the problem is to use the events in the unified audit log to detect when people create, update, or delete a SharePoint file. Sentinel gets its data from the audit log, so I would go there in the first instance.