Bias Analysis
Detected Bias Types
windows_first
windows_tools
missing_linux_example
Summary
The documentation exhibits a Windows bias by prioritizing Windows-centric concepts, terminology, and identifiers. Windows-specific terms (e.g., NTDomain, NetBiosName, SID, RegistryKey/Hive, WindowsSecurityZoneType) are prevalent and often explained before or instead of Linux equivalents. There are no examples or schema fields specifically for Linux user/group/account/domain concepts, nor are Linux-specific filesystem or process identifiers discussed. Windows tools and patterns (Active Directory, NTFS AlternateDataStream, Registry) are referenced without Linux parity, and no Linux-specific examples or terminology (such as UID/GID, /etc/passwd, systemd, ext4, etc.) are provided.
Recommendations
- Add Linux-specific identifiers and schema fields (e.g., UID, GID, /etc/passwd, /etc/group) for Account and Host entities.
- Include Linux filesystem concepts (e.g., inode, ext4 attributes) alongside NTFS/WindowsSecurityZoneType in the File entity.
- Provide examples for Linux process attributes (e.g., systemd unit, cgroup, SELinux context) in the Process entity.
- Introduce Linux registry/config concepts (e.g., /etc, systemd unit files) in parallel to Windows RegistryKey/RegistryValue.
- Clarify that certain identifiers are Windows-only and provide Linux equivalents or note their absence.
- Add documentation sections or footnotes explaining how Linux hosts, accounts, and processes are mapped and identified in Sentinel.
- Balance terminology order (e.g., list Linux and Windows OSFamily values equally, not Windows first).
Create Pull Request