Forum Discussion

smavrakis's avatar
smavrakis
Copper Contributor
Sep 17, 2025

MSSP Multi-Tenant Handling with Lighthouse and Defender XDR

Hello,

As  far as I know an MSSP providers,  leverages Azure Lighthouse to call and access multiple customer workspaces, which allows to manage analytics across tenants.

My questions are:

In the case of moving to Defender XDR, how would this be possible in a multi-tenant MSSP scenario?
Even with Lighthouse, how does Defender XDR avoid merging incidents/alerts across different customers when the same entities are involved?
How does Defender XDR differentiate identical IOCs (same IP, hash, etc.) that appear in multiple customers?
Can MSSPs customize correlation logic to prevent false cross-tenant merges?

Content Ownership & Sharing

Most MSSPs do not want to share their proprietary content (custom rules, detections, playbooks, analytics, etc.) with customers. How is Defender XDR approaching this requirement to ensure MSSPs can operate without exposing their intellectual property?

Example:

Customer Test 1 has a port scan incident from IP 10.10.10.10.
Customer Test 2 also has a port scan incident from the same IP 10.10.10.10.

In Sentinel today, these would remain separate. But in Defender XDR, would these two alerts risk being merged into a single incident because the same entity is detected across tenants?

Thanks in advance for any clarification.

alerts
incident management
microsoft sentinel
siem

1 Reply

  • john66571's avatar
    john66571
    Iron Contributor
    Sep 25, 2025

    This is an opinion of mine after working 10-15 years in the Security Operation side of EDR, XDR and IR.  There is not a single scenario where you as a MSSP or partner will be looked upon with positive view if you want to call analytic rules, custom detections or similar logic as "IP's" and hide them from your customer. Specially not in the Microsoft echosystem. The value is not your custom detection, there are TONS of communities out there sharing those. Its understanding them and presenting that to the partner. You are both in it for the security. 

    With that said, you have some solid questions, but analytic rules need to have custom lookups (you have to make them all custom to look in specific workspaces). the alerts/incident will only be listed under that workspace with that filter. 

Resources