One of the issues I have faced during my career is that of multi-tenancy, and the choice of SIEM. Why is this an issued, well there are MSSP's who follow the NIST cybersecurity framework life cycle - but many Small to Medium organisations simply cannot afford all the bells and whistles even at the most minimum offering i.e. inclusion of Machine Learning, Automation, and Augmented Intelligence and Incident Response services.
Some vendors claim multi-tenancy with caveats for example: one of them states you can have the feature, but you need careful design, management and essentially there are rules and limitations, which all contribute to the risk of data leakage between tenants without sufficient segregation and separation. Others claim, they provide it through federated Identity access. However, in many cases, the risks are only minimised, if you the organisation own the entire domains under your control, and you manage it centrally yourselves.
So if you had a plain piece of paper to work from; what attributes, non-functional requirements would you require before you committed to using a SIEM with true multi-tenancy capabilities?