Forum Discussion
"Security Operations Admin User" Predefined Critical Asset classification
In our XDR instance, the new "Security Operations Admin User" predefined Critical Asset classification (introduced last month) contains a few non-privileged users. I can't figure out by what logic they were added to this classification.
It seems that the users may be using laptops that are classified as "Security Operations Admin Devices," but I can't figure out why those devices are grouped that way, either.
If it were a matter of an IT user logging onto one of the machines for support, there would inevitably a lot MORE users and devices in these groups.
Does anyone know what kind of activity Microsoft uses to classify users and devices as "security operations admins?"
1 Reply
ckyaloMicrosoft
Admins can manually tag additional accounts as sensitive in the Defender portal, based on business context (executives, service accounts, SecOps personnel).
Additionally, devices frequently used by high criticality uses such as Domain Admins will also be classified as high critical assets. For additional details on this classification, refer to -Criticality Levels for Classifications - Microsoft Security Exposure Management | Microsoft Learn