Hi everyone,

I currently maintain one Analytics rule per table to detect when logs stop coming in. Some tables receive data from multiple sources, each with a different expected interval (for example, some sources send every 10 minutes, others every 30 minutes).

In other SIEM platforms there’s usually:

A global threshold (e.g., 60 minutes) for all sources. Optional per-device (DeviceVendor/Computer)/per-table thresholds that override the global value. Is there a recommended way to implement one global rule that uses a default threshold but allows per-source overrides when a particular device or log table has a different expected frequency?

Also, if there are other approaches you use to manage “logs not received” detection, I’d love to hear your suggestions as well.

This is a sample of my current rule.

let threshold = 1h; AzureActivity | summarize LastHeartBeat = max(TimeGenerated) | where LastHeartBeat < ago(threshold)