Sentinel

391
Total Pages
285
Linux-Friendly Pages
106
Pages with Bias
27.1%
Bias Rate

Bias Trend Over Time

Pages with Bias Issues

488 issues found
Showing 1-25 of 488 flagged pages
Sentinel The Advanced Security Information Model (ASIM) Registry Event normalization schema reference | Microsoft Docs ...ticles/sentinel/normalization-schema-registry-event.md
High Priority View Details →
Scanned: 2026-01-13 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation is heavily focused on Windows, with all examples, terminology, and referenced tools (e.g., Registry, Sysmon, IFEO hunting query) being Windows-specific. There are no Linux or macOS equivalents or examples provided, and the schema is explicitly designed for Windows Registry events. While the schema does mention that some fields (like process IDs) can be numeric on Linux, there are no practical Linux use cases, examples, or guidance for Linux/macOS users.
Recommendations
  • Explicitly state that the schema is Windows-only, or clarify Linux/macOS applicability.
  • If cross-platform registry monitoring is possible, provide Linux/macOS equivalents or note their absence.
  • Add a section describing how Linux/macOS users can achieve similar monitoring (if possible), or link to relevant documentation.
  • Include examples or references for Linux/macOS process monitoring schemas for parity.
  • Where fields are described as supporting Linux, provide concrete Linux examples.
GitHub Create Pull Request
Sentinel Stream and filter Windows DNS logs with the AMA connector ...re-docs/blob/main/articles/sentinel/connect-dns-ama.md
High Priority View Details →
Scanned: 2026-01-13 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation is heavily focused on Windows DNS servers, with all examples, prerequisites, and instructions tailored exclusively to Windows environments. There is no mention of Linux or cross-platform DNS server support, and all tooling, terminology, and screenshots are Windows-specific. Linux users are not provided with equivalent guidance or examples, making the documentation inaccessible for non-Windows environments.
Recommendations
  • Clearly state at the beginning whether Linux DNS servers are supported or not. If not, clarify the scope is Windows-only.
  • If Linux support is possible (e.g., via BIND or other DNS servers), provide equivalent instructions, examples, and prerequisites for Linux environments.
  • Include Linux-specific examples for configuring the connector, enabling analytical logging, and filtering events.
  • Mention Linux tools and patterns (e.g., systemd, rsyslog, BIND logs) where relevant, and provide parity in portal/API instructions.
  • If only Windows is supported, suggest alternative monitoring approaches for Linux DNS servers or link to relevant documentation.
GitHub Create Pull Request
Sentinel Microsoft Sentinel DNS over AMA connector reference - available fields and normalization schema ...ure-docs/blob/main/articles/sentinel/dns-ama-fields.md
High Priority View Details →
Scanned: 2026-01-13 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation is heavily focused on Windows DNS servers and the Windows DNS Events via AMA connector. All examples, field mappings, and instructions reference Windows-specific tools and patterns, with no mention of Linux or cross-platform DNS sources. The normalization schema is described only in terms of Windows DNS fields, and there are no Linux equivalents or guidance for Linux-based DNS servers.
Recommendations
  • Add sections describing how to collect and normalize DNS logs from Linux-based DNS servers (e.g., BIND, Unbound, dnsmasq) using Microsoft Sentinel.
  • Provide equivalent field mapping tables for popular Linux DNS server log formats.
  • Include examples and connector instructions for Linux environments, ensuring parity in filtering and normalization capabilities.
  • Clarify in the introduction whether Linux DNS servers are supported or provide links to relevant Linux documentation if available.
GitHub Create Pull Request
Sentinel Microsoft Purview Information Protection connector reference - audit log record types and activities support in Microsoft Sentinel .../sentinel/microsoft-purview-record-types-activities.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Missing Linux Example
Summary
The documentation references a PowerShell cmdlet (Unlock-SPOSensitivityLabelEncryptedFile) as a method for removing sensitivity labels from files, without mentioning any Linux or cross-platform alternatives. There are no examples or instructions for performing equivalent actions on Linux or macOS systems, and the tooling referenced is Windows-centric.
Recommendations
  • Include Linux and macOS equivalents for actions currently described only with PowerShell cmdlets, such as removing sensitivity labels from files.
  • If no direct Linux tool exists, provide guidance on how to perform these actions via REST APIs or other cross-platform methods.
  • Add explicit examples for Linux (e.g., using curl, bash, or Python scripts) to demonstrate parity in audit log management and sensitivity label operations.
  • Clarify platform requirements for referenced tools and suggest alternatives or workarounds for non-Windows environments.
GitHub Create Pull Request
Sentinel The Advanced Security Information Model (ASIM) Application Entity reference .../articles/sentinel/normalization-entity-application.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation page demonstrates Windows bias by providing only Windows-style examples for process paths (e.g., 'C:\Windows\explorer.exe'), referencing Windows-specific file locations, and omitting Linux equivalents (such as '/usr/bin/bash'). Additionally, Windows terminology and conventions (e.g., GUID, process ID conversion notes) are mentioned before or instead of Linux alternatives.
Recommendations
  • Include Linux-specific examples alongside Windows examples for fields like ProcessName and Process.
  • Mention Linux process conventions (e.g., typical paths like '/usr/bin/bash') and clarify differences in process identification.
  • Add notes or examples for Linux tools and patterns where relevant, such as systemd services or common Linux process management.
  • Ensure parity in documentation by presenting both Windows and Linux information equally and simultaneously.
GitHub Create Pull Request
Sentinel Create Analytics Rules for Microsoft Sentinel Solutions .../articles/sentinel/sentinel-analytic-rules-creation.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
🔧 Windows Tools Powershell Heavy Windows First
Summary
The documentation page exhibits Windows bias primarily in the 'ID' section, where PowerShell's New-GUID cmdlet is mentioned as a tool for generating GUIDs, with no mention of Linux or cross-platform alternatives. The example and tool recommendation is Windows-specific and appears before any general or platform-neutral guidance. No Linux shell or tool (such as uuidgen) is referenced. The rest of the documentation is largely platform-neutral, focusing on YAML, KQL, and Microsoft Sentinel concepts.
Recommendations
  • Include Linux and cross-platform alternatives for GUID generation, such as the uuidgen command (available on most Linux distributions and macOS).
  • When mentioning PowerShell, clarify that it is available cross-platform, or provide equivalent commands for Bash/zsh.
  • Present platform-neutral or cross-platform tools first, or mention them alongside Windows tools to avoid implicit prioritization.
  • Add explicit examples for Linux/macOS users where relevant, especially for common developer tasks like GUID generation.
GitHub Create Pull Request
Sentinel Manage custom content with repository connections ...cs/blob/main/articles/sentinel/ci-cd-custom-content.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Missing Linux Example
Summary
The documentation page demonstrates bias towards Windows environments by referencing PowerShell deployment scripts as the primary method for customizing deployments, without mentioning Linux shell equivalents (e.g., Bash). There are no examples or guidance for Linux-native tools or workflows, and the use of PowerShell is presented as the default. This may hinder Linux users or those working in cross-platform environments.
Recommendations
  • Provide equivalent Bash or shell script examples for deployment customization, alongside PowerShell.
  • Explicitly mention cross-platform compatibility of deployment scripts and tools, clarifying if PowerShell Core or alternatives are supported on Linux/macOS.
  • Include instructions or references for running repository deployment workflows on Linux-based CI/CD runners (e.g., GitHub Actions on Ubuntu).
  • Highlight any platform-specific requirements or limitations, and suggest best practices for Linux users.
GitHub Create Pull Request
Sentinel Anomalies detected by the Microsoft Sentinel machine learning engine ...ocs/blob/main/articles/sentinel/anomalies-reference.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation page demonstrates a Windows bias in several ways: anomaly detection examples and algorithms are heavily focused on Windows Security logs (with repeated references to Windows event IDs such as 4624 and 4625), and there is no mention of equivalent Linux audit logs or syslog sources for similar anomaly types. Windows-specific terminology and tools (such as PowerShell in MITRE sub-techniques, Windows Security logs, and event IDs) are used throughout, while Linux equivalents (e.g., auditd, /var/log/auth.log, journald) are absent. This creates a perception that anomaly detection is primarily for Windows environments, with limited guidance for Linux users.
Recommendations
  • Add Linux-specific anomaly detection examples, such as monitoring for suspicious account creation, login failures, and privilege escalation using Linux audit logs, syslog, or journald.
  • Include references to Linux log sources (e.g., /var/log/auth.log, /var/log/secure, auditd logs) alongside Windows Security logs in relevant anomaly types.
  • Provide MITRE ATT&CK sub-techniques and activities relevant to Linux (e.g., Bash, Python, SSH, sudo) in addition to PowerShell.
  • Where event IDs are referenced for Windows, include equivalent Linux log patterns or audit rules.
  • Ensure that anomaly detection coverage and guidance is presented in a cross-platform manner, with parity between Windows and Linux environments.
GitHub Create Pull Request
Sentinel Best practices for data collection in Microsoft Sentinel ...ocs/blob/main/articles/sentinel/best-practices-data.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Powershell Heavy Missing Linux Example
Summary
The documentation page demonstrates a Windows bias in several ways. Windows-specific tools and patterns (such as Windows Event Forwarding, PowerShell, and .NET) are mentioned more frequently and often before their Linux equivalents. Some sections, such as 'On-premises Windows log collection', provide detailed Windows solutions, while Linux solutions are grouped separately and sometimes less detailed. PowerShell is listed as a method for custom log collection, with no equivalent Linux scripting example. In some tables, Windows tools or methods are listed as the default or only option, and Linux alternatives are less emphasized or missing.
Recommendations
  • Ensure Linux tools and patterns (e.g., Bash scripts, Linux-native log collectors) are presented alongside Windows examples, not after or separately.
  • Provide equivalent Linux scripting examples (e.g., Bash, Python) wherever PowerShell is mentioned.
  • When listing solutions, alternate the order of Windows and Linux options, or present them together to avoid 'Windows first' bias.
  • Expand Linux sections to match the detail and breadth of Windows sections, including common Linux challenges and solutions.
  • Explicitly mention Linux alternatives for every Windows tool or pattern referenced (e.g., for Windows Event Forwarding, mention syslog forwarding).
  • Review all tables and solution lists to ensure Linux options are not missing or underrepresented.
GitHub Create Pull Request
Sentinel Reduce costs for Microsoft Sentinel ...cs/blob/main/articles/sentinel/billing-reduce-costs.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation page exhibits Windows bias primarily in the 'Use data collection rules for your Windows Security Events' section, where only Windows-specific connectors and event collection are discussed. There are no equivalent examples or guidance for collecting Linux security events, nor are Linux tools or connectors mentioned. The focus on Windows tools and patterns, without Linux parity, may leave Linux administrators without clear guidance for cost optimization in mixed or Linux-only environments.
Recommendations
  • Add a section detailing how to optimize data collection and costs for Linux security events, including relevant connectors and data collection rules.
  • Provide examples or references for Linux event collection (e.g., syslog, auditd) and how to configure data collection rules for Linux machines.
  • Ensure that both Windows and Linux data collection strategies are presented with equal prominence and detail.
  • Mention Linux equivalents wherever Windows tools or connectors are referenced, and provide links to relevant documentation.
GitHub Create Pull Request
Sentinel Common Event Format (CEF) key and CommonSecurityLog field mapping ...e-docs/blob/main/articles/sentinel/cef-name-mapping.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Windows Terms Windows Examples
Summary
The documentation page exhibits mild Windows bias. Several field descriptions and examples reference Windows-specific concepts (e.g., 'Windows domain', 'C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe') before or instead of Linux equivalents. Terms like 'NTDomain' and 'DeviceNtDomain' are used without parallel Linux/Unix domain concepts. While some Linux/Unix references exist (e.g., '/usr/bin/zip', 'sshd', 'process generating the syslog entry'), Windows terminology and examples are more frequent and often listed first.
Recommendations
  • Provide Linux/Unix equivalents alongside Windows examples for file paths, domain concepts, and process names.
  • Clarify when a field is Windows-specific and offer Linux/Unix alternatives or note their absence.
  • Balance examples by alternating Windows and Linux/Unix references, or use neutral examples where possible.
  • Expand descriptions for domain-related fields to explain their relevance (or lack thereof) in Linux/Unix environments.
  • Review terminology to avoid defaulting to Windows-centric language when cross-platform concepts exist.
GitHub Create Pull Request
Sentinel Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data .../azure-docs/blob/main/articles/sentinel/connect-aws.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Powershell Heavy Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation page demonstrates a clear Windows bias. The automatic setup process is built around a PowerShell script, with instructions and prerequisites focused on installing PowerShell and running commands from a PowerShell command line. There are no equivalent instructions or examples for Linux users (e.g., Bash shell, Linux tools), nor is there mention of how to run the setup script on Linux or macOS. The documentation assumes the user is on Windows by default and does not provide parity for Linux environments.
Recommendations
  • Provide explicit instructions for running the setup script on Linux and macOS, including shell commands and prerequisites (e.g., Bash, sh).
  • Clarify whether the PowerShell script is compatible with PowerShell Core on Linux/macOS, or provide a Bash alternative.
  • List installation steps for the AWS CLI on Linux and macOS alongside Windows.
  • Include screenshots or terminal examples from Linux environments.
  • Add troubleshooting notes for common Linux/macOS issues (e.g., permissions, path differences).
  • Avoid language that assumes Windows as the default platform; use cross-platform terminology where possible.
GitHub Create Pull Request
Sentinel Ingest syslog and CEF messages to Microsoft Sentinel - AMA .../blob/main/articles/sentinel/connect-cef-syslog-ama.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
🔧 Windows Tools Windows First Powershell Heavy
Summary
The documentation page is primarily focused on ingesting syslog and CEF messages from Linux machines and network devices into Microsoft Sentinel, and generally provides Linux-centric instructions. However, there are subtle signs of Windows bias: PowerShell is mentioned as an installation method for the Azure Monitor Agent before Azure CLI, and the documentation refers to using the Azure portal and Defender portal (both Windows-centric GUIs) as primary configuration interfaces. Additionally, the installation instructions reference PowerShell before CLI, and there is no explicit parity check to ensure Linux users are not directed to Windows-specific tooling.
Recommendations
  • When listing installation methods for the Azure Monitor Agent, mention Azure CLI before PowerShell, or provide Linux-specific instructions first.
  • Explicitly state which instructions are for Linux and which are for Windows, and ensure Linux instructions are clearly separated and prioritized for Linux scenarios.
  • Provide more CLI and script-based examples for Linux users, and avoid referencing Windows-centric tools or GUIs unless necessary.
  • Where PowerShell is mentioned, clarify that it is primarily for Windows and direct Linux users to the Azure CLI or bash alternatives.
  • Add troubleshooting and validation steps that use Linux-native tools (e.g., systemctl, journalctl) in addition to netstat and tcpdump.
  • Review all links and references to ensure that Linux documentation is not overshadowed by Windows documentation, and that Linux users are not inadvertently directed to Windows-specific content.
GitHub Create Pull Request
Sentinel Stream and filter Windows DNS logs with the AMA connector ...re-docs/blob/main/articles/sentinel/connect-dns-ama.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation is heavily focused on Windows DNS servers, with all examples, prerequisites, and instructions tailored exclusively to Windows environments. There are no references to Linux-based DNS servers, nor examples or guidance for configuring the AMA connector with Linux systems. Windows terminology and tools are used throughout, and Linux parity is not addressed.
Recommendations
  • Add explicit guidance and examples for using the AMA connector with Linux-based DNS servers (e.g., BIND, Unbound).
  • Include Linux prerequisites, such as supported distributions, required packages, and log formats.
  • Provide parallel configuration steps for Linux systems, both via portal and API, including sample DCRs for Linux DNS logs.
  • Reference Linux event log locations and how to enable analytical logging for common Linux DNS servers.
  • Update terminology to be inclusive of both Windows and Linux environments, where applicable.
  • Clarify any limitations or differences in connector support between Windows and Linux DNS servers.
GitHub Create Pull Request
Sentinel Stream data from Microsoft Defender XDR to Microsoft Sentinel in the Azure portal ...in/articles/sentinel/connect-microsoft-365-defender.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
🔧 Windows Tools Windows First Missing Linux Example
Summary
The documentation page demonstrates a Windows bias by focusing exclusively on Microsoft Defender XDR and its integration with Microsoft Sentinel, both of which are primarily Windows-centric security solutions. The event tables and examples reference Windows-specific concepts (e.g., Windows Defender Antivirus, registry events, DLL loading, Active Directory), and there is no mention of Linux-specific security events, connectors, or integration patterns. All examples and instructions are tailored to Windows environments, with no guidance for Linux endpoints or cross-platform scenarios.
Recommendations
  • Add explicit guidance and examples for integrating Linux endpoints with Microsoft Sentinel, including supported connectors and event types.
  • Include sample KQL queries and event tables relevant to Linux systems (e.g., Syslog, auditd, Linux authentication events) alongside Windows examples.
  • Document any limitations or differences in data ingestion and incident management for Linux versus Windows endpoints.
  • Reference Linux security tools and patterns (such as SELinux, auditd, or Linux Defender agents) where applicable.
  • Ensure parity in instructions for configuring connectors and verifying data ingestion from both Windows and Linux sources.
GitHub Create Pull Request
Sentinel Use Azure Functions to connect Microsoft Sentinel to your data source | Microsoft Docs .../articles/sentinel/connect-azure-functions-template.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Powershell Heavy Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation demonstrates a Windows bias by prioritizing PowerShell-based deployment instructions and referencing Windows-centric tools and patterns. The manual deployment section provides detailed steps for PowerShell (Windows) and Python, but the PowerShell instructions are more prominent and detailed, and there is no mention of Linux shell or cross-platform alternatives. The prerequisites and configuration steps reference Windows-specific concepts (e.g., workspace keys via agent-windows), and there are no explicit Linux or bash examples or instructions. The Python deployment requires Visual Studio Code, which is cross-platform, but no Linux-specific guidance is given.
Recommendations
  • Add explicit Linux/bash shell deployment instructions alongside PowerShell, especially for manual deployments.
  • Include examples using Linux tools (e.g., Azure CLI in bash) and clarify cross-platform compatibility for all steps.
  • Reference Linux agents and provide parity in documentation for workspace key retrieval and other operations.
  • Ensure that all code samples and configuration steps are validated and documented for both Windows and Linux environments.
  • Consider reordering sections so that cross-platform or Linux instructions are presented before or alongside Windows/PowerShell instructions.
GitHub Create Pull Request
Sentinel Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel - AMA ...blob/main/articles/sentinel/connect-custom-logs-ama.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Powershell Heavy 🔧 Windows Tools
Summary
The documentation page demonstrates a moderate Windows bias. Windows terminology (e.g., 'Windows Event log') is mentioned before Linux equivalents (e.g., 'Syslog'). Installation instructions and tooling references (such as PowerShell) are listed before Linux alternatives (Azure CLI). Screenshots and UI flows are generic, but command-line examples and agent installation instructions prioritize Windows/PowerShell. Linux-specific instructions (e.g., syslog configuration, Python requirements) are present but often appear after Windows references or are less detailed.
Recommendations
  • Ensure Linux and Windows instructions/examples are presented in parallel, with equal detail and prominence.
  • List Linux tools (e.g., Azure CLI, shell commands) before or alongside Windows tools (e.g., PowerShell), not after.
  • Provide explicit Linux command-line examples for agent installation and configuration, not just references.
  • Include screenshots or UI flows from Linux environments where relevant.
  • Expand troubleshooting and best practices sections to cover Linux-specific scenarios equally with Windows.
  • Review and update terminology to avoid defaulting to Windows-first language (e.g., mention Syslog before Windows Event log when discussing log sources).
GitHub Create Pull Request
Sentinel Create scheduled analytics rules in Microsoft Sentinel | Microsoft Docs .../blob/main/articles/sentinel/create-analytics-rules.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
🔧 Windows Tools Powershell Heavy Windows First
Summary
The documentation page demonstrates a Windows bias primarily through its references to PowerShell and Windows-centric tooling for automation and rule management. The 'Next steps' section specifically mentions PowerShell as a method for automating rule enablement, without mentioning Linux-native alternatives or cross-platform CLI tools. Additionally, the documentation refers to the Azure and Defender portals, which are web-based and platform-agnostic, but omits any guidance for users who may prefer or require Linux command-line tools or automation patterns. There are no Linux-specific examples, nor is there mention of Azure CLI or REST API usage from Linux environments, and PowerShell is presented as the main automation method.
Recommendations
  • Add examples using Azure CLI for rule management and automation, demonstrating usage from Linux/macOS terminals.
  • Explicitly mention REST API usage from Linux environments, including sample curl commands for exporting/importing rules.
  • Where PowerShell is referenced, clarify that PowerShell Core is cross-platform and provide installation guidance for Linux users.
  • Include a section or note on how to perform equivalent tasks from Linux systems, such as using bash scripts or other automation tools.
  • Ensure parity in automation instructions by providing both PowerShell and Azure CLI (or bash/curl) examples side-by-side.
GitHub Create Pull Request
Sentinel Create scheduled analytics rules from templates in Microsoft Sentinel | Microsoft Docs ...ticles/sentinel/create-analytics-rule-from-template.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Missing Linux Example
Summary
The documentation provides guidance for creating scheduled analytics rules in Microsoft Sentinel, but when discussing automation and rule management, it only mentions PowerShell and API methods, with PowerShell being highlighted as a primary tool. There are no examples or references to Linux-native tools or CLI alternatives (such as Bash, curl, or az CLI), nor is there any mention of Linux-specific workflows or parity in automation. This suggests a bias toward Windows-centric tooling and patterns.
Recommendations
  • Include examples using cross-platform tools such as Azure CLI (az), which works on both Windows and Linux.
  • Provide sample commands for Linux environments, such as using curl for API calls or Bash scripts for automation.
  • Clarify that PowerShell Core is available on Linux, and provide instructions for installing and using it in Linux environments if PowerShell is required.
  • Add explicit Linux workflow guidance or parity notes where automation is discussed, ensuring that Linux users are not excluded or forced to use Windows-centric tools.
  • Where possible, present API and CLI examples before or alongside PowerShell, to avoid implying that PowerShell is the default or preferred method.
GitHub Create Pull Request
Sentinel Onboarding to Microsoft Sentinel data lake and graph ...articles/sentinel/datalake/sentinel-lake-onboarding.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation is heavily oriented toward Microsoft cloud and security products, with all examples, tools, and workflows referencing Microsoft Defender, Sentinel, Entra, and Purview portals. There are no references to Linux-specific tools, command-line interfaces, or onboarding steps outside the Microsoft ecosystem. The documentation assumes usage of the Defender portal and does not provide alternative instructions or parity for Linux administrators or those using non-Windows environments.
Recommendations
  • Add onboarding instructions and examples for Linux environments, including CLI-based steps using Azure CLI, Bash, or PowerShell Core on Linux.
  • Include references to cross-platform tools and workflows, such as REST API calls or Terraform scripts, for onboarding and managing Sentinel data lake and graph.
  • Explicitly mention compatibility and usage from Linux systems, and provide troubleshooting steps or considerations for non-Windows platforms.
  • Ensure that portal-based instructions are supplemented with command-line or automation alternatives that work on Linux and macOS.
GitHub Create Pull Request
Sentinel Audit log for Microsoft Sentinel data lake and graph in Microsoft Purview portal ...articles/sentinel/datalake/auditing-lake-activities.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Powershell Heavy Missing Linux Example 🔧 Windows Tools Windows First
Summary
The documentation page demonstrates a Windows bias by providing only PowerShell examples for searching the audit log, referencing Windows-centric tools and patterns (such as Excel export and PowerShell cmdlets), and omitting equivalent Linux or cross-platform command-line instructions. There are no examples using bash, curl, Python, or other cross-platform tools to access the audit log or Office 365 Management API. The workflow assumes a Windows/PowerShell environment, which may exclude Linux and macOS users.
Recommendations
  • Provide equivalent examples using bash, curl, or Python scripts to query the Office 365 Management API for audit log events, ensuring Linux and macOS users can follow along.
  • Mention and demonstrate cross-platform tools (such as Microsoft Graph API with curl or Python) for accessing audit logs.
  • Include instructions for exporting and analyzing results in open formats (e.g., CSV) and using open-source tools (e.g., LibreOffice Calc, pandas) instead of only referencing Excel.
  • Where PowerShell is referenced, clarify if PowerShell Core (cross-platform) is supported, and if so, provide installation and usage notes for Linux/macOS.
  • Reorder or parallelize instructions so that Windows and Linux/macOS approaches are presented together, rather than Windows-first.
GitHub Create Pull Request
Sentinel Create jobs in the Microsoft Sentinel data lake ...-docs/blob/main/articles/sentinel/datalake/kql-jobs.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation page demonstrates a Windows bias primarily through its exclusive use of Azure portal GUI instructions, which are most commonly accessed from Windows environments. The only explicit OS mentioned in the job templates is 'Windows' (e.g., 'Windows suspicious login outside normal hours'), with no equivalent Linux-focused examples or templates. There are no references to Linux tools, shell commands, or CLI alternatives (such as Azure CLI, Bash, or PowerShell cross-platform usage), nor are Linux-specific scenarios or logs (e.g., syslog, auditd) covered. The workflow and screenshots are tailored to the Defender portal and Azure portal, which are typically used in Windows-centric environments.
Recommendations
  • Add Linux-focused job templates (e.g., anomaly detection for Linux authentication logs, process execution baselines for Linux hosts, Linux network traffic analysis).
  • Include examples and instructions for creating and managing jobs using Azure CLI, Bash, or cross-platform tools, not just the Azure portal GUI.
  • Reference Linux log sources (such as syslog, auditd, or Linux endpoint logs) in template examples and documentation.
  • Provide parity in troubleshooting and operational guidance for Linux-based environments, including common error messages and best practices.
  • Explicitly mention that the workflow is supported on non-Windows platforms and clarify any platform-specific limitations.
GitHub Create Pull Request
Sentinel Notebook examples for querying the Microsoft Sentinel data lake ...b/main/articles/sentinel/datalake/notebook-examples.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation page exhibits Windows bias by referencing Visual Studio Code (VS Code) and the Microsoft Sentinel extension as the primary environment for running Jupyter notebooks, without mentioning Linux alternatives or cross-platform setup. There are no examples or guidance for running the notebooks on Linux or macOS, nor any mention of Linux-specific tools or patterns. The language and screenshots assume a Windows-centric workflow, and prerequisites focus on Windows tooling.
Recommendations
  • Explicitly mention that Jupyter notebooks and the Microsoft Sentinel Python SDK can be used on Linux and macOS, not just Windows.
  • Provide instructions or examples for setting up and running the notebooks on Linux (e.g., using JupyterLab or classic Jupyter Notebook, installing required Python packages via pip).
  • Include screenshots or references to Linux environments (such as Ubuntu Desktop, GNOME Terminal, etc.) to demonstrate parity.
  • Clarify that the Microsoft Sentinel extension for VS Code is available cross-platform, or offer alternatives for Linux users if there are limitations.
  • Add troubleshooting or environment setup notes for Linux users, such as handling Spark, Python, and package dependencies.
  • Avoid language that implies Windows is the default or only supported platform (e.g., 'within Visual Studio Code' could be expanded to 'using Jupyter notebooks in Visual Studio Code or other environments').
GitHub Create Pull Request
Sentinel Microsoft Sentinel DNS over AMA connector reference - available fields and normalization schema ...ure-docs/blob/main/articles/sentinel/dns-ama-fields.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation exclusively focuses on Windows DNS servers and the Windows DNS Events via AMA connector, with no mention of Linux DNS servers, Linux logging tools, or equivalent connectors for non-Windows platforms. All examples, field mappings, and schema references are specific to Windows, and Windows tools (AMA, Windows DNS Events) are mentioned without Linux alternatives.
Recommendations
  • Add information about collecting and normalizing DNS logs from Linux-based DNS servers (e.g., BIND, Unbound, dnsmasq) and describe any available connectors or ingestion methods for Linux.
  • Provide equivalent field mapping tables for Linux DNS log formats, showing how their fields map to the normalized schema.
  • Include examples or references for configuring DNS log collection on Linux platforms, and how to integrate those logs into Microsoft Sentinel.
  • If Linux support is not available, explicitly state this limitation and provide guidance or roadmap information for cross-platform parity.
GitHub Create Pull Request
Sentinel Microsoft Sentinel entity types reference | Microsoft Docs ...docs/blob/main/articles/sentinel/entities-reference.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation page exhibits a Windows bias in several ways: Windows-centric terminology (NTDomain, NetBiosName, SID, RegistryKey, RegistryValue) is used throughout, often without Linux equivalents or explanations. Windows-specific concepts (such as NTFS AlternateDataStreamName, WindowsSecurityZoneType, and registry hives) are referenced exclusively. The entity schemas and identifier examples prioritize Windows constructs, and there are no examples or explicit mentions of Linux-specific identifiers, tools, or patterns, despite the OSFamily field supporting Linux. No Linux-specific file paths, process attributes, or system concepts are provided.
Recommendations
  • Add Linux-specific examples and attributes for relevant entity types (e.g., file paths using /home/user/file, Linux process attributes like UID/GID, SELinux context, etc.).
  • For fields like RegistryKey and RegistryValue, clarify that these are Windows-only and provide equivalent Linux concepts (such as configuration files, systemd unit files, or dconf/gsettings for desktop environments).
  • In the Host entity, provide examples of Linux hostnames, domain joining (e.g., sssd/realmd), and mention Linux-specific identifiers (such as machine-id, /etc/hostname, etc.).
  • For Account entities, include Linux account identifiers (e.g., UID, /etc/passwd username, group membership) and clarify differences in domain concepts.
  • Where Windows-specific fields are present (e.g., NTDomain, NetBiosName, SID), explicitly note their OS applicability and suggest Linux alternatives or state when fields are not relevant.
  • Include Linux process examples (e.g., process ID, command line, parent PID, etc.) and clarify differences in process management.
  • Review all entity schemas for opportunities to add Linux parity and cross-reference OS-specific documentation where appropriate.
GitHub Create Pull Request
Previous Page 1 of 20 Next