Detected Bias Types
Windows First
🔧
Windows Tools
Missing Linux Example
Summary
The documentation exhibits a Windows bias by prioritizing Windows data sources (e.g., Windows Security Events, Windows Forwarded Events) and referencing Windows-specific concepts (Active Directory, SID, local admin) without equivalent Linux examples or parity. Device and user enrichments focus on Windows attributes (e.g., DeviceFamily: Windows, OperatingSystem: Windows 10, OnPremisesSID), and there is no mention of Linux authentication logs, Linux device families, or Linux-specific enrichments. No Linux log sources (such as syslog, auditd, or Linux authentication events) are referenced, and Linux device types are absent from sample values and schema.
Recommendations
- Add Linux-specific data sources to the UEBA data sources table, such as syslog, auditd, or Linux authentication logs.
- Include Linux device families and operating systems in sample values and enrichments (e.g., DeviceFamily: Linux, OperatingSystem: Ubuntu 22.04).
- Provide examples of Linux user and device enrichments, such as Linux user/group IDs, sudoers status, or SSH key usage.
- Reference Linux equivalents for concepts like 'local admin' (e.g., users in the sudo or wheel group).
- Clarify support for Linux endpoints in UEBA, and document any limitations or configuration steps for Linux log ingestion.
- Ensure parity in schema fields for Linux-specific attributes (e.g., UID, GID, PAM authentication events).