What you are describing sounds like a 'series decompose anomalies' query. Though you likely are better to track when data collection stops for longer than desired. There are less complicated ways to achieve the result. Event volume anomaly detection could be misleading.
//Data collection to any table has stopped
let DownLimit = ago(1d);
union withsource=TableName1 *
| project TimeGenerated, TableName1
| summarize arg_max(TimeGenerated, *) by TableName1
| where TimeGenerated < DownLimit
//No security evens received from a Windows device in over an hour
let DownLimit = ago(1h);
SecurityEvent
| project TimeGenerated, Computer
| summarize arg_max(TimeGenerated, *) by Computer
| where TimeGenerated < DownLimit