Multi-tenant Best Practices
Running security operations for multiple clients simultaneously is fundamentally different from running a single-organisation SOC. This guide covers the patterns that work well in practice — based on how our early MSSP customers have set up and run Seliq.
Workspace naming conventions
Section titled “Workspace naming conventions”Pick a naming convention before you start creating workspaces and stick to it. Once a workspace slug is set, it can’t be changed without support.
Recommended patterns:
| Pattern | Example | Good for |
|---|---|---|
| Client legal name | acme-corp | Small book of business |
| Client + environment | acme-corp-prod | Clients with multiple environments |
| Client + contract ID | acme-2024-ent | High compliance environments |
Avoid using internal nicknames that clients might not recognise — they appear in API references and export filenames.
Analyst assignment strategy
Section titled “Analyst assignment strategy”The right assignment model depends on your client volume and analyst headcount.
Dedicated model — assign one or two analysts exclusively to a single client.
- Best for: High-volume clients, clients with complex environments, or clients with strict data access requirements
- Risk: Inefficient when alert volume is low; analyst sits idle
Pool model — multiple analysts share a client queue, claiming incidents on demand.
- Best for: Medium-volume clients, standard MSSP operations
- Risk: No single analyst builds deep knowledge of the client environment
Tiered model — a primary analyst owns the client relationship and monitors the queue; a secondary analyst joins during peaks or after hours.
- Best for: Most MSSP deployments. Balances specialisation with coverage.
Our recommended default: tiered model, with the primary analyst set as the escalation owner in SLA configuration.
Integration per workspace vs. shared integrations
Section titled “Integration per workspace vs. shared integrations”Each workspace has its own integration credentials. There is no shared credential pool. This is intentional — it enforces the isolation model and ensures that a credential rotation for one client doesn’t affect others.
One SIEM instance per client: Configure a dedicated Sentinel workspace or Splunk search scope for each client. Don’t point multiple workspaces at the same integration source.
CrowdStrike with multiple CIDs: If you manage multiple CrowdStrike CID environments, create one integration per CID per workspace.
SLA configuration consistency
Section titled “SLA configuration consistency”Before creating your 10th workspace, establish a baseline SLA template that applies to most clients. Custom SLAs for specific clients are overrides of this baseline.
Recommended baseline (adjust to match your contracts):
| Severity | TTA | TTR |
|---|---|---|
| Critical | 15 min | 4 hours |
| High | 1 hour | 8 hours |
| Medium | 4 hours | 24 hours |
| Low | 24 hours | 5 business days |
Keep copies of each client’s contract SLA terms in the workspace description field for quick reference.
Incident handover between shifts
Section titled “Incident handover between shifts”Audit and compliance
Section titled “Audit and compliance”Seliq maintains a full immutable audit log for every workspace:
- Every status change, note addition, and analyst action is timestamped and attributed
- Integration connection and disconnection events are logged
- Report generation and delivery are logged
Audit logs are available for export from Workspace Settings → Audit log → Export (CSV or JSON). Retention period depends on your plan tier.