[Rule Tuning] Microsoft 365 Global Administrator Role Assigned

## Summary

`Microsoft 365 Global Administrator Role Assigned` rule has an exclusion that causes FNs due it being a multi-value field and thus picking up multiple [user types](https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties#usertype-and-userkey-scenarios).

Example from testing:

`o365.audit.Target.Type: [2, 2, 2, 5, 3]`

Thus if we exclude `5` as we do in the query, it causes the rule to not fire.

```
event.dataset:o365.audit
    and event.code:"AzureActiveDirectory"
    and event.action:"Add member to role."
    and event.outcome: "success"
    and o365.audit.ModifiedProperties.Role_DisplayName.NewValue: (
        "Global Administrator" or "Company Administrator"
    )
    and o365.audit.AzureActiveDirectoryEventType: 1
    and o365.audit.RecordType: 8
    and not o365.audit.Target.Type: (4 or 5 or 6)
```

Thus we need to remove `and not o365.audit.Target.Type: (4 or 5 or 6)`.

<img width="1700" height="468" alt="Image" src="https://github.com/user-attachments/assets/a16a7b14-2f5b-48f9-9bc5-eb2d2fa2b2bb" />

NOTE: Rather than attempting to account for the variations / combinations of the target user types, it is best to remove this exclusion entirely.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Rule Tuning] Microsoft 365 Global Administrator Role Assigned #5288

Summary

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Rule Tuning] Microsoft 365 Global Administrator Role Assigned #5288

Description

Summary

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions