Document Details

Migration Arcsight Detection Rules
Home / Scan 41 / Migration Arcsight Detection Rules
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ windows_first
⚠️ windows_tools
⚠️ missing_linux_example
Summary:
The documentation page demonstrates a Windows bias by exclusively using Windows-centric data sources (e.g., SecurityEvent table, which is populated by Windows Security Events), focusing on Windows event IDs, and not providing equivalent Linux or cross-platform examples. All KQL examples reference Windows-specific logs and fields, and there is no mention of Linux data sources, event types, or how to migrate Linux-based ArcSight rules. The documentation assumes the use of the Azure Monitoring Agent (AMA) for Windows Security Events and does not address Linux log collection or rule migration scenarios.
Recommendations:
  • Include examples using Linux data sources, such as Syslog, CommonSecurityLog, or custom tables populated from Linux servers.
  • Provide KQL queries that demonstrate how to migrate ArcSight rules for Linux event types (e.g., authentication, sudo, SSH, process creation).
  • Mention and link to documentation on connecting Linux data sources to Microsoft Sentinel, including configuration steps for the AMA or Log Analytics agent on Linux.
  • Balance the presentation order by alternating or pairing Windows and Linux examples, or by providing a cross-platform example where possible.
  • Clarify in the introduction that the guidance applies to both Windows and Linux environments, and explicitly call out any differences or additional steps required for Linux.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-09-11 00:00 #108 completed ✅ Clean
2025-08-29 00:01 #95 completed ✅ Clean
2025-07-28 00:00 #63 completed ✅ Clean
2025-07-13 21:37 #48 completed ✅ Clean
2025-07-12 23:44 #41 in_progress ❌ Biased

Flagged Code Snippets

SecurityEvent | where EventID == 4728 | where SubjectUserName =~ "AutoMatedService" | where isnotempty(SubjectDomainName)
SecurityEvent | where SubjectUserName in ("Adm1","ServiceAccount1","AutomationServices")
SecurityEvent | where EventID == 4728 | where isnotempty(SubjectDomainName) or isnotempty(TargetDomainName) | where SubjectUserName !~ "AutoMatedService"
SecurityEvent | summarize Count = count() by SubjectUserName, SubjectDomainName | where Count >3
SecurityEvent | where SubjectUserName == "Adm1" or SubjectUserName == "ServiceAccount1" or SubjectUserName == "AutomationServices"
SecurityEvent | where EventID == 4728 | where isnotempty(SubjectDomainName) or isnotempty(TargetDomainName) | where SubjectUserName !in (ExcludeValidUsers)
let Events = ( SecurityEvent | where EventID == 4728 ); ExcludeValidUsers(Events)
let events = ( SecurityEvent | where EventID == 4728 | where isnotempty(SubjectDomainName) or isnotempty(TargetDomainName) ); let ExcludeValidUsers = ( SecurityEvent | where EventID == 4728 | where isnotempty(SubjectDomainName) | where SubjectUserName =~ "AutoMatedService" ); events | join kind=leftanti ExcludeValidUsers on $left.SubjectUserName == $right.SubjectUserName
let event1 =( SecurityEvent | where EventID == 4728 ); let event2 =( SecurityEvent | where EventID == 4729 ); event1 | join kind=inner event2 on $left.TargetUserName==$right.TargetUserName
let waittime = 10m; let lookback = 1d; let event1 = ( SecurityEvent | where TimeGenerated > ago(waittime+lookback) | where EventID == 4728 | project event1_time = TimeGenerated, event1_ID = EventID, event1_Activity= Activity, event1_Host = Computer, TargetUserName, event1_UPN=UserPrincipalName, AccountUsedToAdd = SubjectUserName ); let event2 = ( SecurityEvent | where TimeGenerated > ago(waittime) | where EventID == 4729 | project event2_time = TimeGenerated, event2_ID = EventID, event2_Activity= Activity, event2_Host= Computer, TargetUserName, event2_UPN=UserPrincipalName, AccountUsedToRemove = SubjectUserName ); event1 | join kind=inner event2 on TargetUserName | where event2_time - event1_time < lookback | where tolong(event2_time - event1_time ) >=0 | project delta_time = event2_time - event1_time, event1_time, event2_time, event1_ID,event2_ID,event1_Activity, event2_Activity, TargetUserName, AccountUsedToAdd, AccountUsedToRemove,event1_Host,event2_Host, event1_UPN,event2_UPN