Document Details

Fusion Scenario Reference
Home / Scan #237 / Fusion Scenario Reference
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
powershell_heavy
windows_tools
windows_first
missing_linux_example
Summary
The documentation page demonstrates a Windows bias through frequent references to Windows-specific tools and technologies such as PowerShell and Windows Management Instrumentation (WMI), with no mention of equivalent Linux tools or scenarios. Examples and detection scenarios focus on Windows-centric attack patterns and do not provide parity for Linux environments. The documentation also references Microsoft Defender for Endpoint (which is historically Windows-focused, though now cross-platform) and does not mention Linux-specific security tools, logs, or attack techniques. This results in limited guidance for organizations with significant Linux infrastructure.
Recommendations
  • Add detection scenarios that cover Linux-specific attack vectors, such as suspicious Bash or Python script execution, use of cron jobs for persistence, or exploitation of Linux services (e.g., SSH, sudo).
  • Include examples of credential theft tools and techniques relevant to Linux (e.g., use of 'John the Ripper', 'Hydra', or 'ssh-agent' abuse), alongside Windows tools like Mimikatz.
  • Reference Linux equivalents for Windows technologies mentioned (e.g., instead of only PowerShell, also discuss Bash, Python, Perl, etc.; for WMI, discuss D-Bus, systemd, or other Linux management interfaces).
  • Highlight cross-platform capabilities of Microsoft Defender for Endpoint and Sentinel, and provide guidance on configuring and ingesting Linux logs (e.g., syslog, auditd, journald) into Sentinel.
  • Ensure that examples and scenarios do not always begin with Windows-centric technologies, but alternate or balance with Linux-focused content.
  • Mention Linux-specific MITRE ATT&CK techniques and tactics where relevant, such as Linux privilege escalation, lateral movement via SSH, or Linux ransomware behaviors.
GitHub Create Pull Request

Scan History

Date Scan Status Result
2026-01-14 00:00 #250 in_progress Biased Biased
2026-01-13 00:00 #246 completed Biased Biased
2026-01-11 00:00 #240 completed Biased Biased
2026-01-10 00:00 #237 completed Biased Biased
2026-01-09 00:34 #234 completed Biased Biased
2026-01-08 00:53 #231 completed Biased Biased
2026-01-06 18:15 #225 cancelled Clean Clean
2025-08-17 00:01 #83 cancelled Clean Clean
2025-07-13 21:37 #48 completed Clean Clean
2025-07-12 23:44 #41 cancelled Biased Biased