Document Details

Ueba Reference
Home / Scan #237 / Ueba Reference
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
windows_first
windows_tools
missing_linux_example
Summary
The documentation page demonstrates a Windows bias primarily through its focus on Windows-centric data sources (e.g., Windows Security Events, Windows Forwarded Events), terminology (Active Directory, SID, local admin), and device enrichments (Windows device family, Windows 10 OS). There are no Linux-specific log sources, device types, or examples, and Linux equivalents (such as Linux audit logs, Linux device families, or Linux user attributes) are not mentioned or supported in the enrichment tables or schema. The documentation assumes a Microsoft/Windows environment for both cloud and on-premises scenarios, with no parity for Linux or other non-Windows platforms.
Recommendations
  • Add Linux-specific data sources (e.g., Linux audit logs, syslog, SSH authentication logs) to the UEBA data sources table.
  • Include Linux device families and operating systems in the DevicesInsights enrichment field and provide sample values (e.g., Ubuntu, CentOS, Red Hat).
  • Document Linux user and device attributes in the enrichment tables (e.g., UID, GID, /etc/passwd fields, sudoers status).
  • Provide examples and schema fields relevant to Linux environments, such as Linux group membership, PAM authentication events, and Linux-specific threat indicators.
  • Clarify which features and enrichments are available or not available for Linux endpoints, and provide guidance for integrating Linux data into UEBA workflows.
  • Ensure parity in terminology and examples, mentioning Linux alongside Windows wherever applicable (e.g., 'local admin' vs. 'sudo/root user').
GitHub Create Pull Request

Scan History

Date Scan Status Result
2026-01-14 00:00 #250 in_progress Biased Biased
2026-01-13 00:00 #246 completed Biased Biased
2026-01-11 00:00 #240 completed Biased Biased
2026-01-10 00:00 #237 completed Biased Biased
2026-01-09 00:34 #234 completed Biased Biased
2026-01-08 00:53 #231 completed Biased Biased
2026-01-06 18:15 #225 cancelled Clean Clean
2025-09-16 00:00 #113 completed Clean Clean
2025-09-15 00:00 #112 completed Clean Clean
2025-09-14 00:00 #111 completed Clean Clean
2025-09-13 00:00 #110 completed Clean Clean
2025-09-12 00:00 #109 completed Clean Clean
2025-09-11 00:00 #108 completed Clean Clean
2025-09-10 00:00 #107 completed Clean Clean
2025-09-09 00:00 #106 completed Clean Clean
2025-08-17 00:01 #83 cancelled Clean Clean
2025-07-13 21:37 #48 completed Clean Clean
2025-07-12 23:44 #41 cancelled Biased Biased