Document Details
Ueba Reference
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Detected Bias Types
windows_first
windows_tools
missing_linux_example
Summary
The documentation demonstrates a Windows bias in several areas. Windows-specific event sources (such as Windows Security Events, Windows Forwarded Events, and Windows device logon events) are listed and described in detail, while Linux equivalents (e.g., Linux audit logs, syslog, SSH logins) are not mentioned at all. Device-related enrichments and examples focus exclusively on Windows (e.g., 'Device family: Windows', 'Operating system: Windows 10'), with no reference to Linux, macOS, or other platforms. There are no examples or guidance for Linux-based data sources, connectors, or device insights, and no mention of Linux-specific security events or log schemas. The documentation assumes a Microsoft-centric environment, with Active Directory and Defender for Identity as the only on-premises identity providers, and does not address hybrid or non-Windows scenarios.
Recommendations
- Add Linux-specific data sources and connectors (e.g., Linux audit logs, syslog, SSH authentication logs) to the UEBA data sources table.
- Include device enrichment examples for Linux and macOS (e.g., 'Device family: Linux', 'Operating system: Ubuntu 22.04', 'Device type: Server').
- Document how UEBA analyzes and enriches Linux and non-Windows device events, including schema fields and sample values.
- Provide parity in event categories and enrichments for Linux, such as failed SSH logins, sudo usage, and Linux user management events.
- Clarify whether non-Windows devices are supported and, if so, how to onboard and analyze them in Microsoft Sentinel UEBA.
- Mention Linux identity providers (e.g., LDAP, FreeIPA) if supported, or explicitly state limitations.
Create Pull Request
Scan History
| Date | Scan | Status | Result |
|---|---|---|---|
| 2026-01-14 00:00 | #250 | in_progress |
Biased
|
| 2026-01-13 00:00 | #246 | completed |
Biased
|
| 2026-01-11 00:00 | #240 | completed |
Biased
|
| 2026-01-10 00:00 | #237 | completed |
Biased
|
| 2026-01-09 00:34 | #234 | completed |
Biased
|
| 2026-01-08 00:53 | #231 | completed |
Biased
|
| 2026-01-06 18:15 | #225 | cancelled |
 Clean
|
| 2025-09-16 00:00 | #113 | completed |
Clean
|
| 2025-09-15 00:00 | #112 | completed |
Clean
|
| 2025-09-14 00:00 | #111 | completed |
Clean
|
| 2025-09-13 00:00 | #110 | completed |
Clean
|
| 2025-09-12 00:00 | #109 | completed |
Clean
|
| 2025-09-11 00:00 | #108 | completed |
Clean
|
| 2025-09-10 00:00 | #107 | completed |
Clean
|
| 2025-09-09 00:00 | #106 | completed |
Clean
|
| 2025-08-17 00:01 | #83 | cancelled |
Clean
|
| 2025-07-13 21:37 | #48 | completed |
Clean
|
| 2025-07-12 23:44 | #41 | cancelled |
Biased
|