Document Details

Ueba Reference
Home / Scan #246 / Ueba Reference
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
windows_tools
windows_first
Summary
The documentation page displays a moderate Windows bias, primarily through its focus on Windows-centric data sources (e.g., Windows Security Events, Windows Forwarded Events, Microsoft Defender XDR, Active Directory). Device-related enrichments and examples frequently reference Windows-specific concepts (such as SIDs, local admin status, Windows 10 OS, and device families labeled 'Windows'), with little mention of Linux or macOS equivalents. While some cloud and third-party sources (AWS, GCP, Okta) are included, there is a lack of parity in describing Linux/macOS device logon events, enrichments, or schema fields. The documentation does not provide Linux/macOS-specific examples, nor does it clarify how non-Windows endpoints are represented or analyzed in UEBA.
Recommendations
  • Add explicit documentation and examples for Linux and macOS device logon events, including how these are ingested, analyzed, and enriched in UEBA.
  • Expand the 'Device family' and 'Operating system' enrichments to include Linux and macOS, with sample values and descriptions.
  • Clarify whether fields such as SID, local admin status, and device type are applicable to non-Windows platforms, and document platform-specific differences.
  • Provide guidance or references for integrating Linux/macOS endpoints with Microsoft Sentinel UEBA, including supported connectors and schema mappings.
  • Ensure that examples and tables do not default to Windows terminology, and present cross-platform information in a balanced manner.
GitHub Create Pull Request

Scan History

Date Scan Status Result
2026-01-14 00:00 #250 in_progress Biased Biased
2026-01-13 00:00 #246 completed Biased Biased
2026-01-11 00:00 #240 completed Biased Biased
2026-01-10 00:00 #237 completed Biased Biased
2026-01-09 00:34 #234 completed Biased Biased
2026-01-08 00:53 #231 completed Biased Biased
2026-01-06 18:15 #225 cancelled Clean Clean
2025-09-16 00:00 #113 completed Clean Clean
2025-09-15 00:00 #112 completed Clean Clean
2025-09-14 00:00 #111 completed Clean Clean
2025-09-13 00:00 #110 completed Clean Clean
2025-09-12 00:00 #109 completed Clean Clean
2025-09-11 00:00 #108 completed Clean Clean
2025-09-10 00:00 #107 completed Clean Clean
2025-09-09 00:00 #106 completed Clean Clean
2025-08-17 00:01 #83 cancelled Clean Clean
2025-07-13 21:37 #48 completed Clean Clean
2025-07-12 23:44 #41 cancelled Biased Biased