MicrosoftThanks Javier. I get the complexity added by doing a single rule that spans multiple customers. Though even with DevOps can be complex managing the same rule across multiple customers. Either you have a copy for every customer which can mean editing a copy per customer for a one minor edit to one KQL query; or you write some pretty complex DevOps code to push a single rule multiple ways based on the details of that customer/workspace. Something to consider..
But what about rules other than the "Scheduled" rules, like the Fusion rule, ML rules, or the Microsoft Security rules such as the one that promotes ASC alerts to Sentinel incidents. How would I generate Sentinel incidents for these in my Sentinel that my SOC monitors, based on these types of rules? I don't want to rely on these rules being in the customer Sentinel as I have no control over that Sentinel and the customer may or may not be poking around in their Sentinel with rules and incidents of their own.
Thanks, Mark
