![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 28.999999999999996%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,051 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
If these clients are individual customers you may want to keep them in separate Sentinel instances for a variety of reasons. For example, billing, privacy, and the difficulty of separating clients later. Sentinel has many features to support an MSP model. https://aka.ms/mssentinelmssp.
I agree that tagging combined with filters or workbooks would be the best way to segment. I would start by trying automation rules first since this is the easiest to manage and at no additional cost. For example, if there is an identifiable naming standard for resource names. If the automation rule filters are insufficient your next option is a logic app. There you can use KQL or recourse graph queries to identify the client. It may not be easy or possible to attribute every alert to a client.
Start with the device or host entity. The logic app would be an incident trigger, followed by get host, then lookup the client identifier, and the add the tag. Other entity types will be harder and some alerts may not have entities. You might add a task to verify/manually add a tag to fill the gap.