"Security Operations Admin User" Predefined Critical Asset classification

In our XDR instance, the new "Security Operations Admin User" predefined Critical Asset classification (introduced last month) contains a few non-privileged users.  I can't figure out by what logic they were added to this classification.  

It seems that the users may be using laptops that are classified as "Security Operations Admin Devices," but I can't figure out why those devices are grouped that way, either.

If it were a matter of an IT user logging onto one of the machines for support, there would inevitably a lot MORE users and devices in these groups.

Does anyone know what kind of activity Microsoft uses to classify users and devices as "security operations admins?"