Single Rule for No logs receiving (Global + Per-device Thresholds)

Hi everyone,

I currently maintain one Analytics rule per table to detect when logs stop coming in.
Some tables receive data from multiple sources, each with a different expected interval (for example, some sources send every 10 minutes, others every 30 minutes).

In other SIEM platforms there’s usually:

• A global threshold (e.g., 60 minutes) for all sources.
• Optional per-device/per-table thresholds that override the global value.

Is there a recommended way to implement one global rule that uses a default threshold but allows per-source overrides when a particular device or log table has a different expected frequency?

Also, if there are other approaches you use to manage “logs not received” detection, I’d love to hear your suggestions as well.

This is a sample of my current rule

let threshold = 1h; AzureActivity | summarize LastHeartBeat = max(TimeGenerated) | where LastHeartBeat < ago(threshold)