Sentinel

391
Total Pages
285
Linux-Friendly Pages
106
Pages with Bias
27.1%
Bias Rate

Bias Trend Over Time

Pages with Bias Issues

488 issues found
Showing 51-75 of 488 flagged pages
Sentinel Scheduled analytics rules in Microsoft Sentinel | Microsoft Docs ...lob/main/articles/sentinel/scheduled-rules-overview.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
🔧 Windows Tools Windows First Missing Linux Example
Summary
The documentation page for scheduled analytics rules in Microsoft Sentinel demonstrates a Windows bias primarily through its references to PowerShell and API as the main automation methods for rule enablement, without mentioning Linux-native equivalents or cross-platform CLI tools. PowerShell is highlighted as a key method for enabling rules, and no Linux shell (bash, az CLI) or platform-neutral examples are provided. The documentation does not offer parity for Linux users in terms of automation or scripting guidance.
Recommendations
  • Include examples using Azure CLI (az) for rule management and automation, alongside PowerShell.
  • Explicitly mention that API-based automation can be performed from any OS, and provide sample curl/bash commands for Linux users.
  • Add notes or examples for exporting/importing rules using Linux tools (e.g., jq, curl, az CLI).
  • Ensure that references to PowerShell are balanced with Linux-friendly alternatives, and avoid presenting Windows tools first or exclusively.
  • Where possible, provide cross-platform instructions or clarify platform requirements for each method.
GitHub Create Pull Request
Sentinel Deploy Microsoft Sentinel solution for SAP BTP .../main/articles/sentinel/sap/deploy-sap-btp-solution.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Missing Linux Example
Summary
The documentation page demonstrates a Windows bias by providing only a PowerShell script for automating BTP client secret rotation, referencing Azure PowerShell modules and workflows. There are no equivalent examples for Linux environments (such as Bash or Azure CLI), nor is there mention of cross-platform alternatives. The automation and scripting guidance is tailored to Windows users, making it less accessible for Linux administrators.
Recommendations
  • Provide equivalent Bash or Azure CLI script examples for Linux/macOS environments, especially for tasks like rotating client secrets and interacting with Azure Key Vault.
  • Explicitly mention that the automation steps can be performed on Linux and macOS, and link to relevant cross-platform tooling documentation.
  • Where PowerShell is used, clarify whether PowerShell Core (cross-platform) is supported, and provide installation guidance for non-Windows platforms.
  • Add notes or sections highlighting Linux-native tools and patterns for interacting with Azure and SAP BTP, ensuring parity in instructions and examples.
GitHub Create Pull Request
Sentinel Create Hunting Queries for Microsoft Sentinel Solutions ...n/articles/sentinel/sentinel-hunting-rules-creation.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Windows First
Summary
The documentation page demonstrates Windows bias primarily in the 'ID' attribute section, where PowerShell's New-GUID cmdlet is mentioned as the example tool for generating GUIDs, with no mention of Linux or cross-platform alternatives. The only explicit tool recommendation is Windows/PowerShell-centric, and it is presented first and exclusively. No Linux or macOS command-line equivalents (such as uuidgen) are referenced. The rest of the documentation is platform-neutral, but this section stands out as Windows-focused.
Recommendations
  • Include Linux and macOS command-line alternatives for GUID generation, such as 'uuidgen' or 'cat /proc/sys/kernel/random/uuid'.
  • Present cross-platform or web-based GUID generators before or alongside PowerShell examples.
  • Explicitly state that any tool or method capable of generating a GUID is acceptable, and provide links or examples for multiple platforms.
  • Review other sections for similar tool recommendations and ensure parity by providing both Windows and Linux/macOS examples where relevant.
GitHub Create Pull Request
Sentinel Create Playbooks for Microsoft Sentinel Solutions ...b/main/articles/sentinel/sentinel-playbook-creation.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Missing Linux Example Windows First
Summary
The documentation page demonstrates a strong Windows bias in its guidance for generating ARM templates for playbooks. It exclusively provides instructions and tooling based on PowerShell scripts, references Windows PowerShell and Visual Studio Code, and includes commands specific to PowerShell (e.g., Set-ExecutionPolicy). There are no equivalent examples or instructions for Linux or macOS users, nor are alternative cross-platform tools (such as Azure CLI or Bash scripts) mentioned. The documentation assumes a Windows environment and does not address Linux workflows or shell environments.
Recommendations
  • Provide equivalent instructions for Linux and macOS users, including how to run the ARM template generator script using PowerShell Core on those platforms.
  • Offer alternative methods for generating and sanitizing ARM templates, such as using Azure CLI, Bash scripts, or REST API calls.
  • Explicitly mention cross-platform compatibility of the PowerShell script and provide installation guidance for PowerShell Core on Linux/macOS.
  • Include Linux/macOS-specific commands and examples (e.g., how to set execution policy, run scripts, and save files).
  • List cross-platform editors (such as VS Code, nano, vim) when suggesting tools to edit scripts or templates.
  • Add a note clarifying which steps and tools are platform-agnostic and which require adaptation for non-Windows environments.
GitHub Create Pull Request
Sentinel Create Summary Rules for Microsoft Sentinel Solutions ...n/articles/sentinel/sentinel-summary-rules-creation.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
🔧 Windows Tools Windows First Missing Linux Example
Summary
The documentation page exhibits Windows bias by exclusively mentioning the PowerShell New-GUID cmdlet as a method to generate GUIDs, without referencing Linux or cross-platform alternatives. No Linux or macOS command-line tools (such as uuidgen) are suggested, and the only concrete example for GUID generation is Windows-centric. This may unintentionally signal that Windows is the primary or preferred platform for development, and could hinder parity for Linux users.
Recommendations
  • Include Linux/macOS equivalents for GUID generation, such as the uuidgen command.
  • Present cross-platform or web-based GUID generators before or alongside PowerShell examples.
  • Explicitly state that any tool capable of generating a GUID is acceptable, and provide examples for multiple platforms.
  • Review other sections for similar platform-specific references and ensure parity in tooling and examples.
GitHub Create Pull Request
Sentinel Import threat intelligence with the upload API ...e-docs/blob/main/articles/sentinel/stix-objects-api.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Missing Linux Example Windows First
Summary
The documentation page demonstrates a clear Windows bias in its example for calling the upload API, providing only a PowerShell function using the MSAL.PS module and referencing Windows-specific certificate stores. No equivalent Linux or cross-platform examples (such as curl, Python, or bash) are provided. The only concrete code sample is for PowerShell, and Windows tooling is mentioned exclusively and first. This may hinder Linux users or those using non-Windows environments from easily following the instructions.
Recommendations
  • Add Linux and cross-platform examples for calling the API, such as using curl, Python (requests + MSAL), or bash scripts.
  • Include instructions for acquiring certificates and tokens on Linux/macOS, avoiding references to Windows-only certificate stores (e.g., Cert:\CurrentUser\My).
  • Mention cross-platform authentication libraries (MSAL for Python, Node.js, etc.) and provide sample code.
  • Present examples in a platform-neutral order, or explicitly state that the API can be called from any OS.
  • Clarify that the API is not limited to Windows and PowerShell, and encourage contributions/examples from other platforms.
GitHub Create Pull Request
Sentinel Discover and deploy Microsoft Sentinel out-of-the-box content from Content hub ...ob/main/articles/sentinel/sentinel-solutions-deploy.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Powershell Heavy Missing Linux Example
Summary
The documentation page demonstrates a Windows bias primarily through its focus on Microsoft portals (Defender and Azure), and by referencing PowerShell as a deployment method before mentioning alternatives. There are no explicit Linux-specific examples, tools, or instructions, and the documentation does not mention Linux command-line equivalents or provide parity for Linux users in automation or deployment steps.
Recommendations
  • Add Linux-specific examples for deploying ARM templates, such as using Azure CLI on Linux or Bash scripts.
  • Explicitly mention cross-platform compatibility for tools like Azure CLI and provide sample commands for Linux environments.
  • Include notes or sections that address Linux users, clarifying any differences in experience or steps when using Linux-based systems.
  • When listing deployment options (e.g., PowerShell, Azure CLI, REST API), avoid listing PowerShell first or exclusively; provide equal visibility to Linux-friendly tools.
  • Reference Linux-native automation tools (such as shell scripts or Ansible) where appropriate, especially in sections about automation and API usage.
GitHub Create Pull Request
Sentinel Microsoft Sentinel skill-up training ...docs/blob/main/articles/sentinel/skill-up-resources.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Powershell Heavy Missing Linux Example
Summary
The documentation demonstrates a moderate Windows bias. Windows and Microsoft-centric tools, services, and terminology are consistently foregrounded, with Windows-specific features and integrations (such as PowerShell, Windows Security Events, and Windows-only monitoring solutions) mentioned before or instead of Linux equivalents. There is a lack of explicit Linux-focused examples, and Linux tooling is rarely highlighted or described in parity with Windows. While some Linux support is implied (e.g., Syslog, CEF, Heartbeat table), Linux-specific guidance, examples, or best practices are generally missing or less visible.
Recommendations
  • Provide Linux-specific examples and walkthroughs alongside or before Windows examples, especially in modules about data collection, log management, and monitoring.
  • Explicitly mention and link to Linux documentation, tools, and connectors (e.g., Syslog, auditd, Linux agent configuration) wherever Windows tools (such as PowerShell or Windows Security Events) are discussed.
  • Ensure parity in operational guidance: when describing monitoring, troubleshooting, or automation (e.g., health monitoring, incident response), include Linux agent and log sources, not just Windows.
  • Highlight cross-platform capabilities and clarify where features are Windows-only versus available on Linux.
  • Include Linux-focused use cases, such as onboarding Linux servers, collecting Linux audit logs, or automating responses on Linux endpoints.
  • When referencing automation (e.g., PowerShell), also mention alternatives for Linux (such as Bash scripts, Python, or REST API usage).
GitHub Create Pull Request
Sentinel Microsoft Sentinel User and Entity Behavior Analytics (UEBA) reference ...ure-docs/blob/main/articles/sentinel/ueba-reference.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation exhibits a Windows bias by prioritizing Windows data sources (e.g., Windows Security Events, Windows Forwarded Events) and referencing Windows-specific concepts (Active Directory, SID, local admin) without equivalent Linux examples or parity. Device and user enrichments focus on Windows attributes (e.g., DeviceFamily: Windows, OperatingSystem: Windows 10, OnPremisesSID), and there is no mention of Linux authentication logs, Linux device families, or Linux-specific enrichments. No Linux log sources (such as syslog, auditd, or Linux authentication events) are referenced, and Linux device types are absent from sample values and schema.
Recommendations
  • Add Linux-specific data sources to the UEBA data sources table, such as syslog, auditd, or Linux authentication logs.
  • Include Linux device families and operating systems in sample values and enrichments (e.g., DeviceFamily: Linux, OperatingSystem: Ubuntu 22.04).
  • Provide examples of Linux user and device enrichments, such as Linux user/group IDs, sudoers status, or SSH key usage.
  • Reference Linux equivalents for concepts like 'local admin' (e.g., users in the sudo or wheel group).
  • Clarify support for Linux endpoints in UEBA, and document any limitations or configuration steps for Linux log ingestion.
  • Ensure parity in schema fields for Linux-specific attributes (e.g., UID, GID, PAM authentication events).
GitHub Create Pull Request
Sentinel Use matching analytics to detect threats ...s/sentinel/use-matching-analytics-to-detect-threats.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation page demonstrates a Windows bias by listing Windows-specific data sources (Windows DNS, Windows Firewall) and connectors before Linux equivalents, and by referencing Windows tools and patterns (such as Windows DNS and Windows Firewall) without providing explicit Linux examples or parity (e.g., Linux DNS or firewall logs). While Syslog and CEF are mentioned, there are no concrete Linux-focused examples, screenshots, or instructions. The configuration and triage steps are generic and platform-agnostic, but the overall framing and examples favor Windows environments.
Recommendations
  • Add explicit Linux examples, such as how to ingest and match Linux DNS logs (e.g., BIND, Unbound) and Linux firewall logs (e.g., iptables, nftables) in Microsoft Sentinel.
  • Include screenshots and configuration steps for Linux data sources and connectors alongside Windows examples.
  • Mention and link to Linux-specific solutions in the data connector table (e.g., Linux DNS, Linux firewall).
  • Ensure parity in documentation by describing how matching analytics works with Linux event sources and providing troubleshooting tips for Linux environments.
  • Avoid listing Windows tools and connectors before Linux equivalents; present them together or alternate order to reduce perceived bias.
GitHub Create Pull Request
Sentinel Syslog via AMA connector - configure appliances and devices ...n/articles/sentinel/unified-connector-syslog-device.md
High Priority View Details →
Scanned: 2026-01-11 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
🔧 Windows Tools Windows First Missing Linux Example
Summary
The documentation is generally Linux-focused, as most examples reference forwarding syslog to a Linux device with the agent installed. However, there are some instances of Windows bias: the Oracle Database Audit section references 'Event Viewer' (a Windows tool) alongside syslog, and the Ivanti Unified Endpoint Management section links to Windows-specific instructions. Additionally, the documentation does not provide explicit Linux configuration examples (e.g., syslog-ng, rsyslog, or journald setup) for the agent host itself, nor does it mention Windows equivalents or clarify cross-platform agent installation. The ordering in Oracle Database Audit places 'Event Viewer' after syslog, but its inclusion may confuse Linux-focused users.
Recommendations
  • Provide explicit Linux syslog configuration examples (e.g., rsyslog, syslog-ng) for agent hosts, including sample config snippets.
  • Clarify agent installation steps for both Linux and Windows hosts, if supported, and provide parity in example coverage.
  • For appliances or software that support both Windows and Linux log forwarding, mention both options and provide links/examples for each.
  • Where Windows tools (e.g., Event Viewer) are referenced, clarify their relevance and provide Linux equivalents or alternatives.
  • Review and update links that point to Windows-only documentation (e.g., Ivanti) to include Linux instructions if available.
GitHub Create Pull Request
Sentinel Reduce costs for Microsoft Sentinel ...cs/blob/main/articles/sentinel/billing-reduce-costs.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation page demonstrates Windows bias primarily in the 'Use data collection rules for your Windows Security Events' section, where only Windows-specific data collection (Windows Security Events connector) is discussed, with no mention of Linux equivalents or examples. Windows tools and connectors are referenced exclusively, and there are no Linux-focused instructions or parity in data collection guidance. The ordering and focus on Windows-specific tooling further reinforce the bias.
Recommendations
  • Add equivalent guidance and examples for collecting Linux security events, such as using the Linux Auditd connector or Syslog connector.
  • Include instructions for configuring data collection rules for Linux servers, highlighting any differences or best practices.
  • Reference Linux data sources and connectors alongside Windows ones, ensuring both are covered equally.
  • Provide cross-platform examples where possible, or clearly indicate platform-specific steps.
  • Review other sections for implicit Windows-first assumptions and ensure Linux parity in recommendations and tooling.
GitHub Create Pull Request
Sentinel Stream data from Microsoft Purview Information Protection to Microsoft Sentinel ...ob/main/articles/sentinel/connect-microsoft-purview.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
🔧 Windows Tools Missing Linux Example Windows First
Summary
The documentation is heavily oriented toward Microsoft cloud and Windows-centric tools (Azure portal, Microsoft Sentinel, Office Management API, Kusto Query Language). There are no examples or guidance for Linux environments, nor are cross-platform alternatives or CLI-based setup instructions provided. The workflow assumes use of graphical interfaces and Microsoft-specific infrastructure, which are most commonly accessed from Windows systems.
Recommendations
  • Add instructions for configuring the connector using Azure CLI or PowerShell Core, which are available cross-platform.
  • Provide examples for accessing and querying data from Linux environments, such as using REST APIs or command-line tools.
  • Mention and document any platform requirements or limitations explicitly, clarifying whether Linux users can perform all steps.
  • Include references to open-source or cross-platform tools for log analysis and reporting, where applicable.
  • Ensure parity in example queries and workflows for users who may not have access to Windows GUIs.
GitHub Create Pull Request
Sentinel Onboarding to Microsoft Sentinel data lake and graph ...articles/sentinel/datalake/sentinel-lake-onboarding.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation page focuses exclusively on onboarding to Microsoft Sentinel data lake and graph through Microsoft Defender and related Microsoft portals, which are primarily accessed via web interfaces or Windows-centric tools. There are no examples or instructions for Linux users, such as command-line onboarding steps, REST API usage, or integration with Linux-native tools. The documentation references Microsoft Defender, Microsoft Sentinel, and Azure Resource Graph, all of which are typically managed through Windows environments or portals, with no mention of Linux alternatives or parity.
Recommendations
  • Provide onboarding instructions using REST APIs or Azure CLI, which are cross-platform and can be run on Linux.
  • Include examples of how to onboard and manage Sentinel data lake and graph from Linux environments, such as using Bash scripts or Linux shell commands.
  • Mention and document any Linux-compatible tools or SDKs for interacting with Microsoft Sentinel data lake and graph.
  • Clarify whether all features described are accessible from Linux systems, and if not, provide guidance or workarounds.
  • Add explicit Linux examples alongside any Windows or portal-based instructions to ensure parity.
GitHub Create Pull Request
Sentinel Create scheduled analytics rules in Microsoft Sentinel | Microsoft Docs .../blob/main/articles/sentinel/create-analytics-rules.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Powershell Heavy Missing Linux Example
Summary
The documentation page demonstrates a Windows bias primarily through its focus on Windows-centric tools and workflows. PowerShell is mentioned as the primary automation method for enabling rules, with no mention of Linux-native alternatives (such as Bash, Azure CLI, or REST API usage from Linux). The only automation example provided is PowerShell, and Windows tools are referenced before any cross-platform or Linux equivalents. There are no Linux-specific examples or guidance for users working in non-Windows environments.
Recommendations
  • Provide automation examples using Azure CLI and REST API, which are cross-platform and work natively on Linux and macOS.
  • Explicitly mention that PowerShell Core is available on Linux and macOS, or provide instructions for installing and using it in those environments.
  • Include sample workflows or scripts for Linux users, such as Bash scripts or Azure CLI commands for rule management.
  • Clarify that all portal-based instructions (Azure portal, Defender portal) are accessible from any OS with a supported browser.
  • Add a note or section on Linux compatibility and best practices for Sentinel automation and management.
GitHub Create Pull Request
Sentinel This file is auto-generated . Do not edit manually. Changes will be overwritten. ...in/articles/sentinel/includes/deprecated-connectors.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation page demonstrates a Windows bias by frequently mentioning Windows agents and Windows machines before Linux equivalents, providing detailed prerequisites and installation steps for Windows environments, and referencing Windows-specific tools (e.g., Windows agent, PowerShell). Linux coverage is limited to a single Syslog connector section, with less detail and no parity in example depth or troubleshooting guidance compared to Windows sections.
Recommendations
  • Ensure that Linux data connector examples are as detailed as Windows ones, including prerequisites, installation steps, and troubleshooting.
  • Provide Linux-specific agent installation and configuration instructions alongside Windows instructions, rather than after or in a separate section.
  • Include parity in documentation links for Linux tools (e.g., CLI, shell scripts) where Windows PowerShell is referenced.
  • Explicitly mention support for Linux and hybrid environments in introductory and connector descriptions.
  • Add examples of ingesting Linux-specific logs (e.g., auth.log, secure, application logs) and how to configure them for Sentinel.
GitHub Create Pull Request
Sentinel The Advanced Security Information Model (ASIM) Network Session normalization schema reference | Microsoft Docs ...main/articles/sentinel/normalization-schema-network.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Windows Examples
Summary
The documentation exhibits mild Windows bias. Windows-specific terminology, formats, and examples are frequently used or mentioned first, such as Windows domain\hostname format, Windows process paths (e.g., C:\Windows\explorer.exe), and Windows-specific username types. Linux equivalents are referenced but not illustrated with examples, and Windows formats are often described in detail while Linux formats are only briefly mentioned. There are no explicit PowerShell-heavy sections, but Windows-centric patterns and examples are prevalent.
Recommendations
  • Provide Linux-specific examples alongside Windows examples, such as Linux process paths (e.g., /usr/bin/sshd) and Linux username formats.
  • When describing fields that support both Windows and Linux formats, give equal detail and examples for both (e.g., show Linux FQDN and domain formats).
  • Avoid listing Windows formats or terminology first; alternate or group by OS-neutral conventions.
  • Clarify normalization requirements for Linux systems, especially where conversion or mapping is needed (e.g., process IDs, domain formats).
  • Include references to Linux tools and patterns where relevant (e.g., mention common Linux network interface names, process naming conventions, and user ID formats).
GitHub Create Pull Request
Sentinel Create Summary Rules for Microsoft Sentinel Solutions ...n/articles/sentinel/sentinel-summary-rules-creation.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
🔧 Windows Tools Windows First Missing Linux Example
Summary
The documentation page exhibits Windows bias by exclusively mentioning PowerShell (New-GUID cmdlet) as a method to generate GUIDs, without referencing Linux or cross-platform alternatives. No Linux-specific tools or examples are provided, and the Windows tool is mentioned first and solely, implying it as the default or preferred method.
Recommendations
  • Include Linux and cross-platform alternatives for generating GUIDs, such as 'uuidgen' (Linux/macOS) or Python's 'uuid' module.
  • Present examples for both Windows (PowerShell) and Linux/macOS (shell commands) side-by-side, or mention platform-agnostic online generators.
  • Avoid implying Windows tools as the default by listing alternatives together or in alphabetical/platform order.
  • Review other sections for similar bias and ensure parity in tool recommendations and examples.
GitHub Create Pull Request
Sentinel Anomalies detected by the Microsoft Sentinel machine learning engine ...ocs/blob/main/articles/sentinel/anomalies-reference.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation page exhibits a Windows bias in several ways: anomaly detections and machine learning models are heavily focused on Windows Security logs (e.g., event IDs 4624 and 4625), with no equivalent coverage or examples for Linux systems. Windows-specific terminology and tools (such as Windows Security logs and PowerShell as a sub-technique) are referenced, while Linux audit logs, syslog, or other Linux-native mechanisms are absent. There are no examples or descriptions of anomaly detection for Linux account creation, logins, or brute force attempts, nor is there mention of Linux-specific event sources or patterns.
Recommendations
  • Add equivalent anomaly detection rules and descriptions for Linux systems, such as monitoring /var/log/auth.log, /var/log/secure, or auditd logs for account creation, deletion, and login events.
  • Include Linux-specific event IDs, syslog patterns, or audit rules alongside Windows Security log references.
  • Provide examples of anomaly detection for Linux brute force attempts, privilege escalation, and code execution (e.g., monitoring sudo, su, or shell activity).
  • Reference Linux tools and mechanisms (such as auditd, syslog, journald, or systemd) in parallel with Windows tools.
  • Ensure that anomaly detection coverage and documentation are platform-agnostic, or clearly indicate parity between Windows and Linux where possible.
GitHub Create Pull Request
Sentinel Microsoft Sentinel Solution for MS Business Apps ...es/sentinel/business-applications/solution-overview.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Missing Linux Example 🔧 Windows Tools Windows First
Summary
The documentation page focuses exclusively on Microsoft cloud products and their integration with Microsoft Sentinel, with no mention of Linux tools, Linux-based workflows, or cross-platform considerations. All examples, connectors, and playbooks are described in the context of Microsoft technologies, which are typically Windows-centric. There is no discussion of how to use these solutions from Linux environments, nor are Linux equivalents or compatibility addressed.
Recommendations
  • Add explicit guidance on how to access and use Microsoft Sentinel features from Linux systems, including CLI or API usage.
  • Provide examples of log collection and analysis using Linux-native tools (e.g., curl, jq, Bash scripts) alongside or instead of Windows/Powershell examples.
  • Clarify whether the data connectors and playbooks can be triggered or managed from Linux environments, and document any platform-specific limitations.
  • Include references to cross-platform security workflows and tools that can be used in conjunction with Microsoft Sentinel.
  • Ensure that future documentation includes parity for Linux and macOS users, not just Windows administrators.
GitHub Create Pull Request
Sentinel Best practices for data collection in Microsoft Sentinel ...ocs/blob/main/articles/sentinel/best-practices-data.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Powershell Heavy Missing Linux Example
Summary
The documentation page demonstrates a Windows bias in several ways: Windows-specific tools and patterns (e.g., Windows Event Forwarding, PowerShell) are mentioned more frequently and often before Linux equivalents. Some sections, such as 'On-premises Windows log collection', provide more detailed solutions and considerations compared to the Linux section. Windows-centric terminology and examples (e.g., Windows Event Forwarding, PowerShell) appear without equivalent Linux examples in some cases, and Windows tools are referenced in general recommendations (e.g., endpoint solutions, cloud platform data) without always mentioning Linux alternatives.
Recommendations
  • Ensure Linux tools and solutions (e.g., syslog-ng, rsyslog, FluentD, Bash scripts) are mentioned with equal prominence and detail as Windows tools.
  • Provide Linux-specific examples and code snippets (e.g., Bash, Python) alongside PowerShell examples.
  • When listing solutions, alternate the order or group by OS to avoid always listing Windows first.
  • Expand the 'On-premises Linux log collection' section to match the depth and breadth of the Windows section, including more considerations and troubleshooting tips.
  • In endpoint and cloud platform data sections, explicitly mention Linux-compatible methods and tools for log collection.
  • Review all references to Windows-centric technologies to ensure Linux equivalents are present and described.
GitHub Create Pull Request
Sentinel Common Event Format (CEF) key and CommonSecurityLog field mapping ...e-docs/blob/main/articles/sentinel/cef-name-mapping.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Windows Terms Missing Linux Example
Summary
The documentation page exhibits mild Windows bias. Several field descriptions and examples use Windows terminology (e.g., 'Windows domain', 'C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe') and refer to Windows-specific concepts (NTDomain, DeviceNtDomain, DestinationNTDomain, SourceNTDomain) before or instead of Linux equivalents. While some Linux/UNIX references are present (e.g., '/usr/bin/zip', 'sshd', 'telnetd'), Windows examples and terms are more prevalent and often appear first. There are no PowerShell-heavy examples or exclusive use of Windows tools, but Linux parity could be improved.
Recommendations
  • Provide Linux/UNIX examples alongside or before Windows examples for file paths, process names, and domain concepts.
  • Clarify that NTDomain fields are Windows-specific and, where relevant, mention Linux/UNIX equivalents (such as LDAP domains or local user/group concepts).
  • Balance examples by alternating Windows and Linux references, ensuring both are equally represented.
  • Add explicit notes or examples for Linux/UNIX environments where only Windows terminology is currently used.
  • Review and update field descriptions to avoid implying Windows is the default or primary environment.
GitHub Create Pull Request
Sentinel Manage custom content with repository connections ...cs/blob/main/articles/sentinel/ci-cd-custom-content.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Missing Linux Example
Summary
The documentation page demonstrates bias toward Windows environments by referencing PowerShell deployment scripts as the primary method for customizing deployments, without mentioning Linux-compatible alternatives (such as Bash or cross-platform CLI). There are no examples or instructions for Linux users, and the tooling and workflow patterns described (PowerShell, .yml workflows) are more familiar to Windows users. No Linux-specific tools or parity guidance are provided.
Recommendations
  • Include examples of deployment customization using Bash scripts or Azure CLI, alongside PowerShell.
  • Explicitly state that workflows and deployment scripts can be run on Linux and macOS runners, and provide instructions for those platforms.
  • Reference cross-platform tools and patterns (e.g., Azure CLI, GitHub Actions runners for Linux) in addition to Windows/PowerShell.
  • Add a section or tips for Linux users, including troubleshooting and environment setup guidance.
  • Ensure that all code samples and workflow instructions are tested and documented for both Windows and Linux environments.
GitHub Create Pull Request
Sentinel Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data .../azure-docs/blob/main/articles/sentinel/connect-aws.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Powershell Heavy Windows First Missing Linux Example
Summary
The documentation page exhibits a Windows bias by recommending PowerShell as the primary automation tool for the automatic setup, requiring PowerShell installation, and providing instructions that assume the use of PowerShell and Windows environments. There are no Linux shell (bash) equivalents or examples for the automation steps, nor is there guidance for running the setup scripts on Linux or macOS. The AWS CLI is mentioned, but only in conjunction with PowerShell, and the documentation does not address Linux-specific prerequisites or usage patterns.
Recommendations
  • Provide equivalent bash shell instructions and examples for Linux and macOS users, including how to run the setup script with the AWS CLI in those environments.
  • Clarify whether the provided PowerShell script can be run using PowerShell Core on Linux/macOS, and if so, include installation and usage instructions for those platforms.
  • If the automation script is Windows-specific, offer a cross-platform alternative (e.g., a bash script or Python script) for Linux/macOS users.
  • List Linux/macOS prerequisites separately, such as package managers (apt, yum, brew) and installation commands for AWS CLI and PowerShell Core.
  • Explicitly mention Linux/macOS compatibility in the prerequisites and setup sections, and provide troubleshooting tips for those platforms.
GitHub Create Pull Request
Sentinel Use Azure Functions to connect Microsoft Sentinel to your data source | Microsoft Docs .../articles/sentinel/connect-azure-functions-template.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Powershell Heavy Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation page demonstrates a Windows bias in several ways. PowerShell is featured prominently as a manual deployment option, with detailed step-by-step instructions, while Python (the only non-Windows-centric alternative) is presented as requiring Visual Studio Code, a tool most commonly used on Windows. There are no examples or instructions for deploying Azure Functions-based connectors using Linux-native tools or workflows (e.g., Bash, CLI, or VS Code on Linux). Windows terminology and tools (PowerShell, workspace keys linked to 'agent-windows', etc.) are mentioned before or instead of Linux equivalents, and there is no mention of Linux-specific deployment patterns or troubleshooting.
Recommendations
  • Add manual deployment instructions for Azure Functions-based connectors using Bash or Azure CLI, suitable for Linux environments.
  • Clarify that Visual Studio Code is cross-platform and provide explicit instructions for using it on Linux and macOS.
  • Include examples and references for Linux-based agents and workspace keys, not just 'agent-windows'.
  • Balance the prominence of PowerShell with equivalent examples for Bash, Azure CLI, or other Linux-native scripting environments.
  • Add troubleshooting and configuration notes relevant to Linux environments (e.g., file permissions, environment variables, package dependencies).
GitHub Create Pull Request
Previous Page 3 of 20 Next