Blog Post

Microsoft Sentinel Blog

5 MIN READ

Protecting MSSP’s Intellectual Property in Microsoft Sentinel

Microsoft

May 27, 2020

Special thank you to Ofer_Shezaf and Koby Koren for reviewing this article. In the last few months helping MSSPs adopt and build services around Microsoft Sentinel, one of the common concerns f...

Updated Nov 02, 2021

Version 13.0

Javier-Soriano

Microsoft

Joined July 12, 2017

View Profile

Microsoft Sentinel Blog

Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.

Javier-Soriano

Microsoft

Nov 12, 2020

HI GeorgeAbouSamra

For 1), I don't think that is possible with AzSentinel. Tagging Pouyan Khabazi to take it as feedback

For 2) please read the following article about cross-workspace analytics rules: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-cross-workspace-analytics-rules/ba-p/1664211 . If the rule that you're defining doesn't contain intellectual property, our recommendation is to create the rule in the customer tenant. If you do need to protect your IP, then use each rule for a single customer, because it may be difficult to tell which customer was the alert triggered on and it will complicate investigation.

It is true that you will end up with a high number of rules, but with good naming convention and proper configuration management via infrastructure as code, this should not be a problem. Further more, you can define in the MSSP tenant a workspace for each target customer to streamline management.

Regards