MSSP Multi-Tenant Handling with Lighthouse and Defender XDR

This is an opinion of mine after working 10-15 years in the Security Operation side of EDR, XDR and IR.  There is not a single scenario where you as a MSSP or partner will be looked upon with positive view if you want to call analytic rules, custom detections or similar logic as "IP's" and hide them from your customer. Specially not in the Microsoft echosystem. The value is not your custom detection, there are TONS of communities out there sharing those. Its understanding them and presenting that to the partner. You are both in it for the security. 

With that said, you have some solid questions, but analytic rules need to have custom lookups (you have to make them all custom to look in specific workspaces). the alerts/incident will only be listed under that workspace with that filter.