Bias Analysis
Detected Bias Types
windows_first
missing_linux_example
windows_tools
Summary
The documentation page demonstrates a Windows bias in several ways: anomaly detection examples and algorithms are heavily focused on Windows Security logs (with repeated references to Windows event IDs such as 4624 and 4625), and there is no mention of equivalent Linux audit logs or syslog sources for similar anomaly types. Windows-specific terminology and tools (such as PowerShell in MITRE sub-techniques, Windows Security logs, and event IDs) are used throughout, while Linux equivalents (e.g., auditd, /var/log/auth.log, journald) are absent. This creates a perception that anomaly detection is primarily for Windows environments, with limited guidance for Linux users.
Recommendations
- Add Linux-specific anomaly detection examples, such as monitoring for suspicious account creation, login failures, and privilege escalation using Linux audit logs, syslog, or journald.
- Include references to Linux log sources (e.g., /var/log/auth.log, /var/log/secure, auditd logs) alongside Windows Security logs in relevant anomaly types.
- Provide MITRE ATT&CK sub-techniques and activities relevant to Linux (e.g., Bash, Python, SSH, sudo) in addition to PowerShell.
- Where event IDs are referenced for Windows, include equivalent Linux log patterns or audit rules.
- Ensure that anomaly detection coverage and guidance is presented in a cross-platform manner, with parity between Windows and Linux environments.
Create Pull Request