Document Details

Fusion Scenario Reference
Home / Scan #240 / Fusion Scenario Reference
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
powershell_heavy
windows_tools
windows_first
missing_linux_example
Summary
The documentation page exhibits several forms of Windows bias. Many detection scenarios and descriptions reference Windows-specific technologies (PowerShell, WMI, Microsoft Defender for Endpoint, etc.) and focus on Microsoft cloud and endpoint products. Examples and threat techniques are almost exclusively Windows-centric, with little to no mention of Linux or cross-platform equivalents. Linux-specific attack patterns, tools, or detection methods are absent, and Windows tools (PowerShell, WMI) are referenced without Linux analogs. This can make the documentation less relevant or actionable for organizations with significant Linux infrastructure.
Recommendations
  • Include Linux-specific attack scenarios, such as suspicious Bash or Python script execution, SSH brute force, or Linux credential dumping tools (e.g., 'Linux mimikatz', 'LaZagne').
  • Add examples of detection for Linux-native threats and techniques, such as rootkit installation, unauthorized cron job creation, or suspicious use of system utilities (e.g., netcat, socat, curl, wget).
  • Reference Linux security tools and logs (e.g., auditd, syslog, journald, fail2ban) alongside Windows tools.
  • Where PowerShell or WMI are mentioned, provide equivalent Linux command-line or scripting examples (e.g., bash, python, systemd-run, etc.).
  • Clarify which scenarios and detections are cross-platform and which are Windows-only, to help users understand coverage gaps.
  • Expand data connector sources to include Linux endpoint solutions (e.g., Microsoft Defender for Endpoint for Linux, or third-party Linux EDRs) and describe their role in Fusion detections.
GitHub Create Pull Request

Scan History

Date Scan Status Result
2026-01-14 00:00 #250 in_progress Biased Biased
2026-01-13 00:00 #246 completed Biased Biased
2026-01-11 00:00 #240 completed Biased Biased
2026-01-10 00:00 #237 completed Biased Biased
2026-01-09 00:34 #234 completed Biased Biased
2026-01-08 00:53 #231 completed Biased Biased
2026-01-06 18:15 #225 cancelled Clean Clean
2025-08-17 00:01 #83 cancelled Clean Clean
2025-07-13 21:37 #48 completed Clean Clean
2025-07-12 23:44 #41 cancelled Biased Biased