Document Details
Normalization About Schemas
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
windows_first
⚠️
missing_linux_example
⚠️
windows_tools
Summary:
The documentation demonstrates a Windows bias by providing detailed normalization examples and mappings exclusively for Windows event 4624, referencing Windows-specific concepts (such as SIDs and Windows usernames) before or instead of Linux equivalents. While Linux user IDs (UID) are mentioned in field type tables, there are no concrete Linux event examples or mappings, and Windows-centric terminology and tools (e.g., Windows event fields, SIDs, Windows domain\username format) are prioritized throughout. Linux tools, event types, or normalization scenarios are not given parity in examples or guidance.
Recommendations:
- Add parallel Linux event normalization examples (e.g., mapping a Linux authentication log event to ASIM fields) alongside the Windows event 4624 example.
- Include Linux-specific field mapping tables and sample values (e.g., mapping /var/log/auth.log fields, Linux UIDs, and usernames).
- Reference Linux event types and tools (such as auditd, syslog, or journald) in schema mapping and normalization guidance.
- Ensure that field type tables and entity descriptions provide Linux examples with equal prominence to Windows examples.
- Where possible, provide cross-platform comparison tables or diagrams to illustrate normalization from both Windows and Linux sources.
Create pull request