Document Details
Migration Arcsight Detection Rules
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Detected Bias Types
windows_first
windows_tools
missing_linux_example
Summary
The documentation page demonstrates a Windows bias by exclusively using Windows-centric data sources (e.g., SecurityEvent table, which is populated by Windows Security Events), focusing on Windows event IDs, and not providing equivalent Linux or cross-platform examples. All KQL examples reference Windows-specific logs and fields, and there is no mention of Linux data sources, event types, or how to migrate Linux-based ArcSight rules. The documentation assumes the use of the Azure Monitoring Agent (AMA) for Windows Security Events and does not address Linux log collection or rule migration scenarios.
Recommendations
- Include examples using Linux data sources, such as Syslog, CommonSecurityLog, or custom tables populated from Linux servers.
- Provide KQL queries that demonstrate how to migrate ArcSight rules for Linux event types (e.g., authentication, sudo, SSH, process creation).
- Mention and link to documentation on connecting Linux data sources to Microsoft Sentinel, including configuration steps for the AMA or Log Analytics agent on Linux.
- Balance the presentation order by alternating or pairing Windows and Linux examples, or by providing a cross-platform example where possible.
- Clarify in the introduction that the guidance applies to both Windows and Linux environments, and explicitly call out any differences or additional steps required for Linux.
Create Pull Request
Scan History
| Date | Scan | Status | Result |
|---|---|---|---|
| 2026-01-14 00:00 | #250 | in_progress |
 Clean
|
| 2026-01-13 00:00 | #246 | completed |
Clean
|
| 2026-01-11 00:00 | #240 | completed |
Clean
|
| 2026-01-10 00:00 | #237 | completed |
Clean
|
| 2026-01-09 00:34 | #234 | completed |
Clean
|
| 2026-01-08 00:53 | #231 | completed |
Clean
|
| 2026-01-06 18:15 | #225 | cancelled |
Clean
|
| 2025-09-11 00:00 | #108 | completed |
Clean
|
| 2025-08-29 00:01 | #95 | completed |
Clean
|
| 2025-07-28 00:00 | #63 | completed |
Clean
|
| 2025-07-13 21:37 | #48 | completed |
Clean
|
| 2025-07-12 23:44 | #41 | cancelled |
Biased
|
Flagged Code Snippets
SecurityEvent | where EventID == 4728 | where SubjectUserName =~ "AutoMatedService" | where isnotempty(SubjectDomainName)
SecurityEvent
| where SubjectUserName in
("Adm1","ServiceAccount1","AutomationServices")
SecurityEvent | where EventID == 4728 | where isnotempty(SubjectDomainName) or isnotempty(TargetDomainName) | where SubjectUserName !~ "AutoMatedService"
SecurityEvent | summarize Count = count() by SubjectUserName, SubjectDomainName | where Count >3
SecurityEvent | where SubjectUserName == "Adm1" or SubjectUserName == "ServiceAccount1" or SubjectUserName == "AutomationServices"
SecurityEvent
| where EventID == 4728
| where isnotempty(SubjectDomainName) or
isnotempty(TargetDomainName)
| where SubjectUserName !in (ExcludeValidUsers)
let Events = (
SecurityEvent
| where EventID == 4728
);
ExcludeValidUsers(Events)
let events = ( SecurityEvent | where EventID == 4728 | where isnotempty(SubjectDomainName) or isnotempty(TargetDomainName) ); let ExcludeValidUsers = ( SecurityEvent | where EventID == 4728 | where isnotempty(SubjectDomainName) | where SubjectUserName =~ "AutoMatedService" ); events | join kind=leftanti ExcludeValidUsers on $left.SubjectUserName == $right.SubjectUserName
let event1 =( SecurityEvent | where EventID == 4728 ); let event2 =( SecurityEvent | where EventID == 4729 ); event1 | join kind=inner event2 on $left.TargetUserName==$right.TargetUserName
let waittime = 10m; let lookback = 1d; let event1 = ( SecurityEvent | where TimeGenerated > ago(waittime+lookback) | where EventID == 4728 | project event1_time = TimeGenerated, event1_ID = EventID, event1_Activity= Activity, event1_Host = Computer, TargetUserName, event1_UPN=UserPrincipalName, AccountUsedToAdd = SubjectUserName ); let event2 = ( SecurityEvent | where TimeGenerated > ago(waittime) | where EventID == 4729 | project event2_time = TimeGenerated, event2_ID = EventID, event2_Activity= Activity, event2_Host= Computer, TargetUserName, event2_UPN=UserPrincipalName, AccountUsedToRemove = SubjectUserName ); event1 | join kind=inner event2 on TargetUserName | where event2_time - event1_time < lookback | where tolong(event2_time - event1_time ) >=0 | project delta_time = event2_time - event1_time, event1_time, event2_time, event1_ID,event2_ID,event1_Activity, event2_Activity, TargetUserName, AccountUsedToAdd, AccountUsedToRemove,event1_Host,event2_Host, event1_UPN,event2_UPN