Protecting MSSP’s Intellectual Property in Microsoft Sentinel

Javier-Soriano, Thank you for the information. It has helped immensely.

I have a couple of questions if you don't mind.

1. For scheduled Analytic Rules created in the customer tenant via Wortell's PowerShell scripts and a corresponding JSON file, is there any way to attach a playbook that was created in the MSSP tenant and not in the customer tenant? When trying to do so, I get a warning stating: "WARNING: Unable to find LogicApp XYZ under Subscription Id: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx". After the rules are created, I can manually assign a Playbook created in the MSSP tenant to an Analytic rule that was created in the customer tenant, but not via the PowerShell script.
2. As for the Analytic Rules themselves, If we want to store all Analytic Rules in our MSSP tenant, you mentioned using the following format in the query.

   workspace('<customer-workspace>').SecurityEvent
   | where EventID == ‘4625’​

   Would you recommend we duplicate this query replacing the customer workspace for each client, or creating one rule and adding all our client's workspace name to each rule using the union operator?

For example, If we have set up 100 rules in the MSSP tenant for a single client, and we onboard 5 other clients to Azure Lighthouse, we would end up with 600 rules in our tenant with the only difference being the workspace name in the queries.

The other option would be to set up those 100 rules, but using the union operator to add the other 5 clients workspaces to the existing rules. Every new client that we onboard, we would just append the workspace name to the table we are referencing. For example: 

I appreciate your help on this!