Document Details

Ueba Reference
Home / Scan #240 / Ueba Reference
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
windows_first
windows_tools
missing_linux_example
Summary
The documentation exhibits a Windows bias by prioritizing Windows data sources (e.g., Windows Security Events, Windows Forwarded Events) and referencing Windows-specific concepts (Active Directory, SID, local admin) without equivalent Linux examples or parity. Device and user enrichments focus on Windows attributes (e.g., DeviceFamily: Windows, OperatingSystem: Windows 10, OnPremisesSID), and there is no mention of Linux authentication logs, Linux device families, or Linux-specific enrichments. No Linux log sources (such as syslog, auditd, or Linux authentication events) are referenced, and Linux device types are absent from sample values and schema.
Recommendations
  • Add Linux-specific data sources to the UEBA data sources table, such as syslog, auditd, or Linux authentication logs.
  • Include Linux device families and operating systems in sample values and enrichments (e.g., DeviceFamily: Linux, OperatingSystem: Ubuntu 22.04).
  • Provide examples of Linux user and device enrichments, such as Linux user/group IDs, sudoers status, or SSH key usage.
  • Reference Linux equivalents for concepts like 'local admin' (e.g., users in the sudo or wheel group).
  • Clarify support for Linux endpoints in UEBA, and document any limitations or configuration steps for Linux log ingestion.
  • Ensure parity in schema fields for Linux-specific attributes (e.g., UID, GID, PAM authentication events).
GitHub Create Pull Request

Scan History

Date Scan Status Result
2026-01-14 00:00 #250 in_progress Biased Biased
2026-01-13 00:00 #246 completed Biased Biased
2026-01-11 00:00 #240 completed Biased Biased
2026-01-10 00:00 #237 completed Biased Biased
2026-01-09 00:34 #234 completed Biased Biased
2026-01-08 00:53 #231 completed Biased Biased
2026-01-06 18:15 #225 cancelled Clean Clean
2025-09-16 00:00 #113 completed Clean Clean
2025-09-15 00:00 #112 completed Clean Clean
2025-09-14 00:00 #111 completed Clean Clean
2025-09-13 00:00 #110 completed Clean Clean
2025-09-12 00:00 #109 completed Clean Clean
2025-09-11 00:00 #108 completed Clean Clean
2025-09-10 00:00 #107 completed Clean Clean
2025-09-09 00:00 #106 completed Clean Clean
2025-08-17 00:01 #83 cancelled Clean Clean
2025-07-13 21:37 #48 completed Clean Clean
2025-07-12 23:44 #41 cancelled Biased Biased