Document Details
Customize Entity Activities
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Detected Bias Types
windows_first
missing_linux_example
windows_tools
Summary
The documentation page demonstrates a Windows bias by providing examples and descriptions that are specific to Windows environments (e.g., referencing Windows event IDs, Active Directory, and NTDomain identifiers) without offering equivalent Linux or cross-platform examples. The entity identifiers and sample queries are tailored to Windows-centric data sources, and there is no mention of Linux audit logs, syslog, or Linux user/group management events. The documentation assumes a Windows/Active Directory environment as the default context for customization, omitting guidance for organizations using Linux-based infrastructure.
Recommendations
- Include Linux-specific examples, such as detecting user group changes via Linux audit logs (e.g., /var/log/audit/audit.log) or syslog.
- Provide sample KQL queries for common Linux security events (e.g., sudo usage, user creation, group membership changes) alongside Windows examples.
- Expand the list of entity identifiers to include Linux-relevant fields, such as UID, GID, or Linux hostnames.
- Mention Linux data sources (e.g., Syslog, Linux auditd) in the activity template and configuration sections.
- Balance the documentation by presenting both Windows and Linux scenarios, or explicitly state if the feature is currently Windows-only.
Create Pull Request
Scan History
| Date | Scan | Status | Result |
|---|---|---|---|
| 2026-01-14 00:00 | #250 | in_progress |
 Clean
|
| 2026-01-13 00:00 | #246 | completed |
Clean
|
| 2026-01-11 00:00 | #240 | completed |
Clean
|
| 2026-01-10 00:00 | #237 | completed |
Clean
|
| 2026-01-09 00:34 | #234 | completed |
Clean
|
| 2026-01-08 00:53 | #231 | completed |
Clean
|
| 2026-01-06 18:15 | #225 | cancelled |
Clean
|
| 2025-09-16 00:00 | #113 | completed |
Clean
|
| 2025-09-15 00:00 | #112 | completed |
Clean
|
| 2025-09-14 00:00 | #111 | completed |
Clean
|
| 2025-09-13 00:00 | #110 | completed |
Clean
|
| 2025-09-12 00:00 | #109 | completed |
Clean
|
| 2025-09-11 00:00 | #108 | completed |
Clean
|
| 2025-08-17 00:01 | #83 | cancelled |
Clean
|
| 2025-07-13 21:37 | #48 | completed |
Clean
|
| 2025-07-12 23:44 | #41 | cancelled |
Biased
|
Flagged Code Snippets
SecurityEvent
| where EventID == "4728"
| where (SubjectUserSid == '{{Account_Sid}}' ) or (SubjectUserName == '{{Account_Name}}' and SubjectDomainName == '{{Account_NTDomain}}' )
| project TimeGenerated, SubjectUserName, MemberName, MemberSid, GroupName=TargetUserName