Defender For Endpoint let down

I've been liking the Defender for Endpoint and Cloud capabilities but recently tried to do something very basic and found it falls short.

In the old days of inline or explicit proxies you would see every request for every link and every object requested on a website.  Background loaded ones aswell as a user intentionally clicking a link they are all recorded even including the referral page and the bytes transferred etc.  If you wanted to know how much data a user has downloaded from a certain domain it was easy to get because the URL and the transferred bytes, time of the day etc it's all there.

Today I noticed in Cloud Apps, Cloud discovery a user was downloading a huge amount of data. Cloud apps say's they downloaded 1TB from Google in a week.  Well wonder what that is?

Click into the user in Cloud Discovery and it's all just highly summarized.  Doesn't show the specific URL's, times, byte transferred etc.  Just the total over time and the "base" cloud service.

I go into threat hunting and search around experiment a bit and eventually filter for network event to "*google*".  Ok now we are getting somewhere I can see lots of googlevideo.com requests.  Hmm probably YouTube, so why call it google when its actually YouTube?  Are you just using the base domain as the way to identify what cloud service it is?  Thats pretty janky.

I'll assume its YouTube so how much data did they download in these requests.  Was it just an image or a streamed video?  Well in threat hunting there is no bytes transferred for each request.  How can I tell if a request is a 10kb image or a 100GB video stream??????

Falling short in features here.