Document Details
Fusion Scenario Reference
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
powershell_heavy
⚠️
windows_tools
⚠️
windows_first
⚠️
missing_linux_example
Summary:
The documentation demonstrates a Windows bias by focusing on Windows-specific tools and technologies such as PowerShell and WMI, referencing them in detection scenarios without mentioning Linux or cross-platform equivalents. Examples and threat detections are described in terms of Windows-centric activities (e.g., PowerShell command execution, WMI, Microsoft Defender for Endpoint), and there are no Linux-specific examples or references to Linux-native tools or attack patterns. The documentation assumes a Windows environment for endpoint detection and response, with no guidance for Linux-based systems.
Recommendations:
- Include examples and detection scenarios that reference Linux-based attack techniques and tools (e.g., bash scripts, cron jobs, SSH abuse, Linux credential dumping tools like 'gsecdump' or 'LaZagne').
- When describing suspicious command execution, provide Linux equivalents alongside PowerShell and WMI (e.g., bash, python, perl, systemd misuse).
- Reference cross-platform endpoint detection tools and data sources, such as Microsoft Defender for Endpoint for Linux, and clarify how these scenarios apply to Linux systems.
- Add detection scenarios for Linux-specific threats (e.g., rootkit installation, unauthorized use of sudo, suspicious use of system binaries).
- Balance the order of presentation so that Windows and Linux examples are given equal prominence, or explicitly state when a scenario is Windows-only.
- Where possible, generalize descriptions of suspicious activity (e.g., 'suspicious script execution') and then provide both Windows and Linux examples.
Create pull request