Document Details
Ueba Reference
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
windows_first
⚠️
windows_tools
⚠️
missing_linux_example
Summary:
The documentation displays a Windows bias by focusing on Windows Security events as the only explicit OS event source, referencing Windows-specific event IDs, and listing 'Windows' as the only device family and OS in enrichment examples. There are no examples or mentions of Linux or macOS event sources, device types, or OSes, and no guidance for integrating non-Windows data. This may lead readers to believe that UEBA is primarily or exclusively for Windows environments.
Recommendations:
- Add explicit mention of Linux and macOS as potential data sources for UEBA, if supported.
- Provide examples of Linux (e.g., syslog, auditd) and macOS event sources and how to onboard them to Microsoft Sentinel.
- Include Linux/macOS device types and operating systems in enrichment sample values and tables.
- Clarify whether non-Windows events are supported or not, and provide guidance for customers with heterogeneous environments.
- If Linux/macOS are not supported, state this explicitly to set expectations.
Create pull request
Scan History
| Date | Scan ID | Status | Bias Status |
|---|---|---|---|
| 2025-09-16 00:00 | #113 | completed | ✅ Clean |
| 2025-09-15 00:00 | #112 | completed | ✅ Clean |
| 2025-09-14 00:00 | #111 | completed | ✅ Clean |
| 2025-09-13 00:00 | #110 | completed | ✅ Clean |
| 2025-09-12 00:00 | #109 | completed | ✅ Clean |
| 2025-09-11 00:00 | #108 | completed | ✅ Clean |
| 2025-09-10 00:00 | #107 | completed | ✅ Clean |
| 2025-09-09 00:00 | #106 | completed | ✅ Clean |
| 2025-08-17 00:01 | #83 | in_progress | ✅ Clean |
| 2025-07-13 21:37 | #48 | completed | ✅ Clean |
| 2025-07-12 23:44 | #41 | in_progress | ❌ Biased |