Forum Discussion

smavrakis's avatar
smavrakis
Copper Contributor
Sep 17, 2025

MSSP Multi-Tenant Handling with Lighthouse and Defender XDR

Hello,

As  far as I know an MSSP providers,  leverages Azure Lighthouse to call and access multiple customer workspaces, which allows to manage analytics across tenants.

My questions are:

In the case of moving to Defender XDR, how would this be possible in a multi-tenant MSSP scenario?
Even with Lighthouse, how does Defender XDR avoid merging incidents/alerts across different customers when the same entities are involved?
How does Defender XDR differentiate identical IOCs (same IP, hash, etc.) that appear in multiple customers?
Can MSSPs customize correlation logic to prevent false cross-tenant merges?

Content Ownership & Sharing

Most MSSPs do not want to share their proprietary content (custom rules, detections, playbooks, analytics, etc.) with customers. How is Defender XDR approaching this requirement to ensure MSSPs can operate without exposing their intellectual property?

Example:

Customer Test 1 has a port scan incident from IP 10.10.10.10.
Customer Test 2 also has a port scan incident from the same IP 10.10.10.10.

In Sentinel today, these would remain separate. But in Defender XDR, would these two alerts risk being merged into a single incident because the same entity is detected across tenants?

Thanks in advance for any clarification.

No RepliesBe the first to reply

Resources