Skip to content

[Rule Tuning] Update Azure / M365 Index Patterns and Lookback Windows #5154

New issue
New issue
Closed
#5155
Closed
[Rule Tuning] Update Azure / M365 Index Patterns and Lookback Windows#5154
#5155
Assignees
terrancedejesus
Labels
Domain: ApplicationDomain: CloudDomain: Cloud WorkloadsDomain: EmailDomain: IdentityDomain: NetworkDomain: SaaSDomain: StorageIntegration: Azureazure related rulesIntegration: Microsoft 365Rule: Tuningtweaking or tuning an existing rule
@terrancedejesus

Description

@terrancedejesus
terrancedejesus
opened on Sep 26, 2025

Azure & M365 rules have inconsistent index patterns and lookback windows. We should adjust these not only for consistency but performance.

Index Patterns:

  • Update all index patterns to logs-[INTEGRATION].[DATASTREAM]-*. These keeps them consistent and more performant as some are not scoped properly such as logs-azure.*
  • Update all lookback windows and intervals (if applicable). Many rules have inconsistent lookback windows between 9m-25m. These are commonly now-9m with a default interval of 5m. This keeps a rolling window of any potential missed events since last execution. NOTE: Deduplication is handled upstream for all but ESQL-based rules.

Metadata

Metadata

Assignees

Labels

Domain: ApplicationDomain: CloudDomain: Cloud WorkloadsDomain: EmailDomain: IdentityDomain: NetworkDomain: SaaSDomain: StorageIntegration: Azureazure related rulesIntegration: Microsoft 365Rule: Tuningtweaking or tuning an existing rule

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions