The Azure and M365 ruleset needs standardized rule contents for the following:

• Rule Name - Rule names for Azure should include the service (Entra ID, Functions, Automation, VNet, etc.) only. No Microsoft prefix to keep names short and simple but the service apparent.
• Scoped Indices - Some indices may be logs-o365* instead of logs-o365.audit-*. This is more prevalent in Azure but should be tightened down. Helps performance.
• Rule Tags - Rule tags should include correct domain (Cloud, Identity, Email, Network, etc.) related to XDR. They should also include a hierarchy of Data Sources (Azure -> Entra ID -> Entra ID Sign In Logs) or (Microsoft 365 -> Microsoft 365 Audit Logs -> Exchange). Order does not matter but these should contextually be available. Important for search upstream or AI.
• Missing or mismapped MITRE mappings - Some older rules may not reflect current MITRE mappings, we need to adjust these if identified.
• Lookback window - The from value is important but missing in some rules or too big of a lookback. We can keep the standard -9m with a default interval of 5m. Remember that deduplication happens upstream for all rule types except ESQL. For ESQL, we need to have the interval be -1m of the lookback to avoid duplicates.
• Linting - All rules will be linted for consistency.
• File names - While not as important upstream, file name consistency for repo hygiene is good. We will do (MITRE -> Service -> Threat) or collection_onedrive_excessive_external_downloads.toml. This also keeps file names shorter.