MicrosoftHello.
In an MSSP environment with many customers on-boarded to a central MSSP Tenant (using Lighthouse), instead of having different rules for every customer (your picture under MSSP considerations) in the central Tenant, maybe it would be better we have a single cross-workspace analytic rule for all the on-boarded customers in the central Tenant and in some point have the ability to "aggregate" the name of the customer or the customer's workspace name in the produced alert? As far i have seen and despite the fact that the query is cross-workspace, the produced alert includes only the workspace name where the analytic rule was created.
I am thinking about a scenario where a SOC has already developed 50 use cases (analytic rules) in a central MSSP Tenant for one customer and in the near future 10 additional customers will be on-boarded to that Tenant through Lighthouse. So the SOC will need 50X10=500 different analytic rules in order to query all the customers' workspaces through a single Tenant
Regards,
