Document Details

Anomalies Reference
Home / Scan #250 / Anomalies Reference
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
windows_first
missing_linux_example
windows_tools
Summary
The documentation page for 'Anomalies detected by the Microsoft Sentinel machine learning engine' exhibits moderate Windows bias. Many anomaly detection rules and examples reference Windows Security logs (e.g., Event IDs 4624, 4625) and local account creation on Windows systems, with no equivalent examples or guidance for Linux or macOS systems. There are no Linux audit log or syslog-based anomaly rules, and the documentation does not mention Linux-specific data sources or detection patterns. Windows-centric terminology and event IDs are used exclusively in several sections, and Linux/macOS users are left without clear instructions on how to achieve parity.
Recommendations
  • Add examples and descriptions for anomaly detection using Linux audit logs (e.g., /var/log/auth.log, /var/log/secure, auditd) and macOS system logs.
  • Include Linux/macOS equivalents for local account creation, login events, and brute force detection (e.g., using PAM logs, SSH logs, or syslog).
  • Document how to onboard Linux/macOS logs into Sentinel and how anomaly detection rules can be applied to these data sources.
  • Where Windows event IDs are referenced, provide Linux/macOS log line examples or mapping tables.
  • Clarify which anomaly rules are Windows-only and which can be extended to other platforms.
GitHub Create Pull Request

Scan History

Date Scan Status Result
2026-01-22 01:38 #286 completed Biased Biased
2026-01-14 00:00 #250 in_progress Biased Biased
2026-01-13 00:00 #246 completed Biased Biased
2026-01-11 00:00 #240 completed Biased Biased
2026-01-10 00:00 #237 completed Biased Biased
2026-01-09 00:34 #234 completed Biased Biased
2026-01-08 00:53 #231 completed Biased Biased
2026-01-06 18:15 #225 cancelled Clean Clean
2025-09-09 00:00 #106 completed Clean Clean
2025-08-17 00:01 #83 cancelled Clean Clean
2025-07-13 21:37 #48 completed Clean Clean
2025-07-12 23:44 #41 cancelled Clean Clean