Document Details

Ueba Reference
Home / Scan #231 / Ueba Reference
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
windows_first
windows_tools
missing_linux_example
Summary
The documentation page exhibits a Windows bias in several areas. Windows-specific event sources (e.g., Windows Security Events, Windows Forwarded Events) are listed prominently, with no mention of equivalent Linux log sources (such as syslog, auditd, or Linux authentication logs). Device-related enrichments and examples focus on Windows (e.g., 'Device family: Windows', 'Operating system: Windows 10'), and there are no Linux device or OS examples. The documentation does not provide Linux-specific event categories, connectors, or sample values, nor does it mention Linux authentication or logon events. This creates an impression that UEBA is primarily oriented toward Windows environments, with limited guidance for Linux users.
Recommendations
  • Add Linux-specific data sources to the UEBA data sources table, such as syslog, auditd, or Linux authentication logs, and describe their connectors and analyzed event categories.
  • Include Linux device and OS examples in the DevicesInsights enrichment fields (e.g., 'Device family: Linux', 'Operating system: Ubuntu 22.04').
  • Provide sample enrichment values and scenarios for Linux users, such as SSH logins, sudo usage, or Linux group membership changes.
  • Clarify whether and how UEBA supports Linux endpoints, and if not, explicitly state limitations and roadmap.
  • Ensure parity in documentation by listing Linux event sources and tools alongside Windows, rather than focusing exclusively or first on Windows.
GitHub Create Pull Request

Scan History

Date Scan Status Result
2026-01-14 00:00 #250 in_progress Biased Biased
2026-01-13 00:00 #246 completed Biased Biased
2026-01-11 00:00 #240 completed Biased Biased
2026-01-10 00:00 #237 completed Biased Biased
2026-01-09 00:34 #234 completed Biased Biased
2026-01-08 00:53 #231 completed Biased Biased
2026-01-06 18:15 #225 cancelled Clean Clean
2025-09-16 00:00 #113 completed Clean Clean
2025-09-15 00:00 #112 completed Clean Clean
2025-09-14 00:00 #111 completed Clean Clean
2025-09-13 00:00 #110 completed Clean Clean
2025-09-12 00:00 #109 completed Clean Clean
2025-09-11 00:00 #108 completed Clean Clean
2025-09-10 00:00 #107 completed Clean Clean
2025-09-09 00:00 #106 completed Clean Clean
2025-08-17 00:01 #83 cancelled Clean Clean
2025-07-13 21:37 #48 completed Clean Clean
2025-07-12 23:44 #41 cancelled Biased Biased