Document Details
Normalization Content
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
windows_tools
⚠️
powershell_heavy
⚠️
missing_linux_example
⚠️
windows_first
Summary:
The documentation page demonstrates a Windows bias by focusing heavily on Windows-specific tools, commands, and attack techniques (such as rundll32.exe, PowerShell, Certutil, Exchange PowerShell Snapin, and Windows System Shutdown/Reboot). Many hunting queries and analytic rules reference Windows-centric binaries and behaviors, with little to no mention of Linux or cross-platform equivalents. There are no explicit Linux examples or references to Linux-specific threats, tools, or command-line patterns. This may leave Linux users without clear guidance or parity in threat detection and hunting.
Recommendations:
- Add Linux-specific examples and hunting queries, such as detections for common Linux persistence or privilege escalation techniques (e.g., cron jobs, systemd service abuse, SSH key misuse).
- Include analytic rules and hunting queries that reference Linux-native tools and binaries (e.g., bash, systemctl, sudo, /etc/passwd modifications).
- Balance the documentation by providing both Windows and Linux perspectives for each content area (process, file, registry, network, etc.), or explicitly state if a given rule is Windows-only.
- Highlight cross-platform detection strategies where possible, and clarify which rules are applicable to Linux, macOS, or other operating systems.
- Consider adding a section or table summarizing OS coverage for each analytic rule and hunting query.
Create pull request