Sentinel

391
Total Pages
285
Linux-Friendly Pages
106
Pages with Bias
27.1%
Bias Rate

Bias Trend Over Time

Pages with Bias Issues

488 issues found
Showing 76-100 of 488 flagged pages
Sentinel Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel - AMA ...blob/main/articles/sentinel/connect-custom-logs-ama.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Powershell Heavy Missing Linux Example
Summary
The documentation claims support for both Windows and Linux, but Windows tools and patterns (e.g., PowerShell) are mentioned first or exclusively in several places. Example commands for installing the Azure Monitor Agent are provided for PowerShell before Linux alternatives, and there are no explicit Linux shell command examples for agent installation. The ARM template and portal instructions are platform-neutral, but the lack of Linux-specific examples and the ordering of Windows instructions suggest a subtle Windows-first bias.
Recommendations
  • Provide explicit Linux shell command examples (e.g., bash/apt/yum) for installing the Azure Monitor Agent alongside PowerShell commands.
  • Ensure Linux instructions (such as using Azure CLI or shell scripts) are presented with equal prominence and ordering as Windows/PowerShell instructions.
  • Add screenshots or walkthroughs for Linux VM configuration in the portal, not just generic VM selection.
  • Include troubleshooting and configuration tips specific to Linux environments, such as SELinux, systemd, or log rotation.
  • Review the ordering of instructions and examples to alternate or parallelize Windows and Linux content, rather than defaulting to Windows-first.
GitHub Create Pull Request
Sentinel Stream and filter Windows DNS logs with the AMA connector ...re-docs/blob/main/articles/sentinel/connect-dns-ama.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation page exclusively covers streaming and filtering DNS logs from Windows DNS servers using the AMA connector. All examples, prerequisites, and instructions are tailored to Windows Server environments, with no mention of Linux DNS servers (e.g., BIND, Unbound) or how to achieve similar functionality on Linux. Windows-specific tools, terminology, and event log references are used throughout, and Linux alternatives are neither mentioned nor provided.
Recommendations
  • Add equivalent instructions and examples for Linux-based DNS servers (such as BIND or Unbound), including how to stream and filter their logs using AMA or other supported connectors.
  • Include prerequisites and setup steps for Linux environments, specifying supported distributions and versions.
  • Provide sample API payloads and portal walkthroughs for Linux DNS log ingestion and filtering, ensuring parity with Windows examples.
  • Reference Linux-specific log formats and fields, and explain how normalization works for non-Windows DNS logs.
  • Clearly state in the introduction and prerequisites whether Linux DNS servers are supported, and if not, provide guidance or links to alternative solutions.
GitHub Create Pull Request
Sentinel Stream data from Microsoft Defender XDR to Microsoft Sentinel in the Azure portal ...in/articles/sentinel/connect-microsoft-365-defender.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
🔧 Windows Tools Windows First Missing Linux Example
Summary
The documentation page demonstrates a Windows bias by referencing Windows-specific tools, terminology, and event types (such as registry events, Windows Defender Antivirus, and Active Directory) without providing equivalent Linux examples or acknowledging Linux endpoints. The examples and tables focus exclusively on Windows-centric Defender components and data sources, and there is no mention of Linux systems, Linux event ingestion, or cross-platform considerations.
Recommendations
  • Include examples and guidance for integrating Linux endpoints with Microsoft Defender XDR and Microsoft Sentinel, such as supported Linux distributions and required agents.
  • Add documentation on how to ingest Linux security events (e.g., syslog, auditd, SSH logins) into Sentinel via Defender XDR, if supported.
  • Mention Linux-specific tables or event types, or clarify the limitations regarding Linux data ingestion.
  • Provide parity in instructions for configuring connectors and verifying ingestion from Linux systems, including relevant KQL queries.
  • Explicitly state platform support and limitations for non-Windows environments in the prerequisites and connector configuration sections.
GitHub Create Pull Request
Sentinel Create scheduled analytics rules from templates in Microsoft Sentinel | Microsoft Docs ...ticles/sentinel/create-analytics-rule-from-template.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Missing Linux Example
Summary
The documentation references PowerShell as a method for pushing rules to Microsoft Sentinel, without mentioning Linux-native alternatives (such as Bash, CLI, or scripting with curl). The only automation example given is PowerShell, which is Windows-centric. No Linux or cross-platform command-line examples are provided, and the documentation does not mention Linux tools or patterns for rule management.
Recommendations
  • Provide equivalent Linux automation examples, such as using Bash scripts, Azure CLI, or curl for API interactions.
  • Explicitly mention cross-platform compatibility for API usage, and provide sample commands for both Windows (PowerShell) and Linux (Bash/Azure CLI).
  • Clarify whether the rule export/import process (JSON manipulation) can be performed with Linux tools, and provide examples.
  • Avoid implying PowerShell is the only or primary method for automation; present it alongside Linux alternatives.
  • Add a section or note about managing Sentinel rules from Linux environments, including any prerequisites or limitations.
GitHub Create Pull Request
Sentinel Create a codeless connector for Microsoft Sentinel ...ob/main/articles/sentinel/create-codeless-connector.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Powershell Heavy 🔧 Windows Tools
Summary
The documentation page demonstrates a moderate Windows bias in its guidance for API testing tools. PowerShell and Visual Studio Code (both commonly associated with Windows environments) are listed before Linux-native tools like curl, and PowerShell is specifically called out with a direct link to its documentation. Microsoft Edge's Network Console is also mentioned, which is primarily a Windows browser. There are no Linux-specific shell examples (e.g., bash, wget), and no explicit mention of Linux package managers or command-line environments. While curl is included, it is listed last, and no Linux-centric workflow or tool is described in detail.
Recommendations
  • List cross-platform and Linux-native tools (e.g., curl, httpie, wget) before or alongside Windows tools in the API testing section.
  • Provide example commands for both PowerShell and bash/zsh shells when demonstrating API calls or template deployments.
  • Mention Linux package managers (apt, yum) for installing tools like curl or httpie.
  • Include references to Linux text editors (vim, nano) and JSON editors (jq) for template editing and validation.
  • Explicitly state that all steps can be performed on Linux, macOS, and Windows, and provide parity in instructions where platform differences exist.
GitHub Create Pull Request
Sentinel Audit log for Microsoft Sentinel data lake and graph in Microsoft Purview portal ...articles/sentinel/datalake/auditing-lake-activities.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Powershell Heavy Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation page demonstrates a Windows bias by providing only PowerShell examples for searching the audit log, referencing Windows-centric tools and patterns (such as PowerShell and Excel), and omitting equivalent Linux or cross-platform command-line instructions. There are no examples or guidance for Linux users or those using non-Windows environments.
Recommendations
  • Provide equivalent examples using cross-platform tools such as Azure CLI, Microsoft Graph API via curl or Python, or PowerShell Core (pwsh) on Linux/macOS.
  • Include instructions for exporting and analyzing audit logs using open formats (e.g., CSV, JSON) and tools available on Linux (e.g., grep, jq, pandas in Python).
  • Mention and demonstrate how to connect to the Office 365 Management API using non-Windows environments, including authentication methods suitable for Linux.
  • Avoid assuming Excel is the default analysis tool; suggest alternatives like LibreOffice Calc or command-line CSV tools.
  • Clearly indicate which steps or scripts are Windows-specific and provide parity for Linux/macOS users.
GitHub Create Pull Request
Sentinel Microsoft Sentinel DNS over AMA connector reference - available fields and normalization schema ...ure-docs/blob/main/articles/sentinel/dns-ama-fields.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation is heavily focused on Windows DNS servers and the Windows DNS Events via AMA connector. All examples, field mappings, and instructions are specific to Windows environments, with no mention of Linux equivalents or cross-platform support. The tools and connectors referenced are Windows-specific, and there is no guidance for users operating Linux-based DNS servers.
Recommendations
  • Add examples and instructions for collecting and normalizing DNS logs from Linux-based DNS servers (e.g., BIND, Unbound, dnsmasq).
  • Include information about connectors or agents that support Linux environments, such as the AMA on Linux or alternative log collection methods.
  • Provide a comparative table showing field mappings for both Windows and Linux DNS server logs.
  • Clarify in the introduction whether Linux is supported or not, and if not, provide links to relevant Linux documentation.
  • Ensure parity in documentation by presenting Linux options alongside Windows, rather than focusing exclusively on Windows.
GitHub Create Pull Request
Sentinel Microsoft Sentinel entity types reference | Microsoft Docs ...docs/blob/main/articles/sentinel/entities-reference.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation exhibits a Windows bias by prioritizing Windows-centric concepts, terminology, and identifiers. Windows-specific terms (e.g., NTDomain, NetBiosName, SID, RegistryKey/Hive, WindowsSecurityZoneType) are prevalent and often explained before or instead of Linux equivalents. There are no examples or schema fields specifically for Linux user/group/account/domain concepts, nor are Linux-specific filesystem or process identifiers discussed. Windows tools and patterns (Active Directory, NTFS AlternateDataStream, Registry) are referenced without Linux parity, and no Linux-specific examples or terminology (such as UID/GID, /etc/passwd, systemd, ext4, etc.) are provided.
Recommendations
  • Add Linux-specific identifiers and schema fields (e.g., UID, GID, /etc/passwd, /etc/group) for Account and Host entities.
  • Include Linux filesystem concepts (e.g., inode, ext4 attributes) alongside NTFS/WindowsSecurityZoneType in the File entity.
  • Provide examples for Linux process attributes (e.g., systemd unit, cgroup, SELinux context) in the Process entity.
  • Introduce Linux registry/config concepts (e.g., /etc, systemd unit files) in parallel to Windows RegistryKey/RegistryValue.
  • Clarify that certain identifiers are Windows-only and provide Linux equivalents or note their absence.
  • Add documentation sections or footnotes explaining how Linux hosts, accounts, and processes are mapped and identified in Sentinel.
  • Balance terminology order (e.g., list Linux and Windows OSFamily values equally, not Windows first).
GitHub Create Pull Request
Sentinel Advanced multistage attack detection in Microsoft Sentinel ...tDocs/azure-docs/blob/main/articles/sentinel/fusion.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
🔧 Windows Tools Powershell Heavy Windows First Missing Linux Example
Summary
The documentation page demonstrates a bias toward Windows environments and tooling. Examples and scenarios frequently reference Windows-specific alerts (e.g., Windows Error and Warning Events), PowerShell, and remote WMI execution, with no equivalent Linux or cross-platform examples provided. Windows tools and patterns (PowerShell, WMI) are mentioned exclusively or before any Linux alternatives. There is a lack of Linux-specific detection scenarios, such as those involving Linux audit logs, SSH, or common Linux malware. The documentation does not provide parity for Linux environments in its examples or guidance.
Recommendations
  • Include Linux-specific detection scenarios, such as SSH brute force, suspicious sudo usage, or Linux malware alerts.
  • Provide examples of multistage attack detection involving Linux hosts, such as correlating suspicious Linux process execution with network anomalies.
  • Mention Linux equivalents to Windows tools (e.g., Bash scripts, auditd, syslog) in scenario descriptions.
  • Add references to Linux data sources and connectors (e.g., Linux server logs, Linux endpoint protection solutions) in the Fusion configuration and scenario tables.
  • Ensure that cross-platform environments are addressed in both examples and recommendations, not just Windows-centric ones.
GitHub Create Pull Request
Sentinel This file is auto-generated . Do not edit manually. Changes will be overwritten. ...b/main/articles/sentinel/includes/connector-details.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Powershell Heavy Missing Linux Example
Summary
The documentation page for Microsoft Sentinel data connectors demonstrates a Windows bias in several areas. Many connectors, especially those related to Microsoft technologies (e.g., Exchange, Active Directory, IIS, Windows Firewall, Windows DNS, Windows Security Events), provide instructions and examples that are specific to Windows environments. Windows tools and concepts (such as Windows Event Logs, Windows agents, and Azure Monitor Agent for Windows) are frequently referenced, often without equivalent Linux instructions or examples. In some cases, the documentation explicitly mentions streaming logs from 'Windows machines' or using 'Windows agents' without parallel Linux guidance, and prerequisites often reference Windows permissions or tools first. While there are connectors for Linux-centric technologies (e.g., Syslog via AMA), the overall pattern is to present Windows solutions and tools as the default or primary approach, with Linux support being less prominent or omitted.
Recommendations
  • For every connector or example that references Windows-specific tools (e.g., Windows Event Log, Windows agent, PowerShell), provide equivalent instructions for Linux environments (e.g., Syslog, Linux agents, Bash/CLI commands).
  • Where possible, use neutral language such as 'Windows or Linux machines' instead of only 'Windows machines', and clarify cross-platform support.
  • Add explicit Linux setup and troubleshooting sections for connectors that currently only mention Windows.
  • Ensure that prerequisites and agent installation instructions are provided for both Windows and Linux, and that links to Linux documentation are as prominent as those for Windows.
  • When referencing Azure Monitor Agent or Azure Arc, include both Windows and Linux installation tabs/examples.
  • Review all examples and tables to ensure Linux tools and workflows are represented equally alongside Windows.
GitHub Create Pull Request
Sentinel SAP agentless data connector prerequisites checker ...icles/sentinel/includes/sap-agentless-prerequisites.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Powershell Heavy Missing Linux Example 🔧 Windows Tools
Summary
The documentation provides only a PowerShell script as an example for triggering the SAP prerequisites checker iflow, which is specific to Windows environments. There are no equivalent examples for Linux or cross-platform tools (e.g., curl, bash). The exclusive use of PowerShell and lack of Linux alternatives demonstrates a Windows bias.
Recommendations
  • Add a Linux-compatible example using curl or wget to trigger the REST endpoint.
  • Provide a bash script equivalent to the PowerShell example for Linux users.
  • Explicitly mention that the REST client can be any tool (e.g., curl, Postman, HTTPie) and provide usage examples for at least one Linux-native tool.
  • Ensure future documentation includes both Windows and Linux usage patterns when describing command-line or scripting steps.
GitHub Create Pull Request
Sentinel Scenarios detected by the Microsoft Sentinel Fusion engine ...ob/main/articles/sentinel/fusion-scenario-reference.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Windows First Missing Linux Example
Summary
The documentation page demonstrates a Windows bias through frequent references to Windows-specific tools and technologies such as PowerShell and Windows Management Instrumentation (WMI), with no mention of equivalent Linux tools or scenarios. Examples and detection scenarios focus on Windows-centric attack patterns and do not provide parity for Linux environments. The documentation also references Microsoft Defender for Endpoint (which is historically Windows-focused, though now cross-platform) and does not mention Linux-specific security tools, logs, or attack techniques. This results in limited guidance for organizations with significant Linux infrastructure.
Recommendations
  • Add detection scenarios that cover Linux-specific attack vectors, such as suspicious Bash or Python script execution, use of cron jobs for persistence, or exploitation of Linux services (e.g., SSH, sudo).
  • Include examples of credential theft tools and techniques relevant to Linux (e.g., use of 'John the Ripper', 'Hydra', or 'ssh-agent' abuse), alongside Windows tools like Mimikatz.
  • Reference Linux equivalents for Windows technologies mentioned (e.g., instead of only PowerShell, also discuss Bash, Python, Perl, etc.; for WMI, discuss D-Bus, systemd, or other Linux management interfaces).
  • Highlight cross-platform capabilities of Microsoft Defender for Endpoint and Sentinel, and provide guidance on configuring and ingesting Linux logs (e.g., syslog, auditd, journald) into Sentinel.
  • Ensure that examples and scenarios do not always begin with Windows-centric technologies, but alternate or balance with Linux-focused content.
  • Mention Linux-specific MITRE ATT&CK techniques and tactics where relevant, such as Linux privilege escalation, lateral movement via SSH, or Linux ransomware behaviors.
GitHub Create Pull Request
Sentinel Microsoft Purview Information Protection connector reference - audit log record types and activities support in Microsoft Sentinel .../sentinel/microsoft-purview-record-types-activities.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Missing Linux Example
Summary
The documentation references a PowerShell cmdlet (Unlock-SPOSensitivityLabelEncryptedFile) as a method for removing sensitivity labels from files, without mentioning any equivalent Linux or cross-platform tools or approaches. There are no examples or instructions for performing these operations on Linux or macOS systems, and the only tool-specific reference is Windows-centric (PowerShell).
Recommendations
  • Include examples or instructions for performing sensitivity label operations using cross-platform tools, such as Microsoft Graph API, REST API, or CLI tools available on Linux.
  • If PowerShell is required, clarify whether PowerShell Core (pwsh) on Linux/macOS is supported and provide relevant examples.
  • Mention or link to any available Linux/macOS-compatible utilities or scripts for managing sensitivity labels.
  • Add a note on platform compatibility for referenced cmdlets and tools, specifying if they are Windows-only or cross-platform.
GitHub Create Pull Request
Sentinel Microsoft Defender XDR integration with Microsoft Sentinel ...entinel/microsoft-365-defender-sentinel-integration.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation page demonstrates a Windows bias by exclusively referencing Microsoft Defender XDR, Microsoft Sentinel, and related Microsoft security products and portals, all of which are primarily Windows-centric. There are no examples, instructions, or mentions of Linux-specific tools, integration patterns, or command-line interfaces (such as Bash or Linux-native connectors). The documentation assumes usage of Microsoft portals and services, which are typically accessed via Windows environments, and does not address Linux deployment scenarios or provide parity for Linux users.
Recommendations
  • Add explicit instructions or examples for integrating Microsoft Sentinel and Defender XDR from Linux environments, including CLI or API usage from Linux.
  • Mention and document any Linux-compatible connectors, agents, or integration patterns for Microsoft Sentinel and Defender XDR.
  • Provide sample workflows or troubleshooting steps for Linux-based SecOps teams, such as using Bash scripts, Linux authentication methods, or open-source SIEM tools.
  • Clarify platform requirements and limitations, including any differences in feature availability or user experience between Windows and Linux environments.
  • Include references to cross-platform tools and best practices for organizations with mixed Windows and Linux infrastructure.
GitHub Create Pull Request
Sentinel Microsoft Sentinel migration: Select a data ingestion tool | Microsoft Docs ...lob/main/articles/sentinel/migration-ingestion-tool.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Powershell Heavy Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation page exhibits a Windows bias by prioritizing PowerShell-based tools and scripts, referencing Windows-specific deployment patterns (such as the SIEM data migration accelerator deploying a Windows VM), and mentioning Windows tools and environments before or instead of Linux equivalents. While some tools (AzCopy, Logstash) are cross-platform, examples and instructions often default to Windows or PowerShell, and Linux-specific usage or examples are missing or less emphasized.
Recommendations
  • Provide explicit Linux (and macOS) usage examples for all ingestion tools, especially for PowerShell scripts and utilities like AzCopy and LightIngest.
  • Include Bash or shell script alternatives alongside PowerShell examples, and clarify cross-platform compatibility in tool descriptions.
  • Offer instructions for deploying the SIEM data migration accelerator on Linux VMs, or provide a Linux-based migration workflow.
  • Avoid defaulting to Windows-first language (e.g., 'deploys a Windows VM') and instead present OS options equally.
  • Highlight open-source and platform-neutral tools (like Logstash) with equal detail for all supported operating systems.
  • Add troubleshooting and configuration guidance for Linux environments where applicable.
GitHub Create Pull Request
Sentinel Develop Microsoft Sentinel Advanced Security Information Model (ASIM) parsers | Microsoft Docs ...ain/articles/sentinel/normalization-develop-parsers.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Windows First Powershell Heavy 🔧 Windows Tools Missing Linux Example
Summary
The documentation demonstrates a Windows bias in several areas. Examples and instructions for deploying and managing parsers frequently reference Windows-centric tools and workflows, such as PowerShell scripts and the Azure portal, with no mention of Linux alternatives. The use of Windows event sources (e.g., 'Microsoft-Windows-Sysmon') is prioritized in examples, and deployment steps reference deleting functions via a PowerShell tool. There is a lack of explicit Linux or cross-platform guidance, and Linux-native tools or CLI workflows are not discussed, even though Sentinel and KQL can be used from Linux environments.
Recommendations
  • Provide equivalent Linux/bash examples for deployment, such as using Azure CLI or REST API instead of PowerShell.
  • Include instructions for managing ARM templates and functions from Linux/macOS environments.
  • Balance examples between Windows and Linux event sources (e.g., show Syslog and Windows Event Log examples side-by-side).
  • Reference cross-platform tools (e.g., Azure CLI, VS Code) before or alongside Windows-specific tools.
  • Clarify that all steps can be performed from Linux environments and provide explicit commands or scripts.
  • Add troubleshooting and testing guidance for Linux users, including how to export data and run KQL queries from Linux.
GitHub Create Pull Request
Sentinel List of Microsoft Sentinel Advanced Security Information Model (ASIM) parsers | Microsoft Docs ...b/main/articles/sentinel/normalization-parsers-list.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation lists a wide variety of ASIM parsers for both Windows and Linux sources, but Windows event types and tools (such as Windows Events, Sysmon for Windows, Windows Security Events, Windows Firewall, IIS) are consistently mentioned before their Linux equivalents. In several categories, Windows-specific parsers are described in more detail or are listed before Linux parsers, even when both exist. Some event types (e.g., Registry Events, File Events) have multiple Windows parser variants, while Linux coverage is more limited or less detailed. There are also categories (e.g., Registry Events) where Linux equivalents are missing entirely.
Recommendations
  • Ensure Linux parsers are listed with equal prominence and detail as Windows parsers, including in table order and notes.
  • Add Linux equivalents for event types that currently only have Windows coverage (e.g., Registry Events).
  • Where multiple Windows parser variants are described, provide similar granularity for Linux if available.
  • Include explicit examples and notes for Linux ingestion methods (e.g., Syslog, auditd, journald) alongside Windows tools.
  • Review parser documentation for parity in technical depth and clarity between Windows and Linux sources.
GitHub Create Pull Request
Sentinel Transition Your Microsoft Sentinel Environment to the Defender Portal ...e-docs/blob/main/articles/sentinel/move-to-defender.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
🔧 Windows Tools Windows First Missing Linux Example
Summary
The documentation page demonstrates a Windows bias primarily through exclusive references to Microsoft Defender, Windows Defender ATP, and other Defender-branded tools, which are Windows-centric. There is no mention of Linux-specific tools, workflows, or examples, nor are there instructions or considerations for Linux environments. All examples, terminology, and recommended practices are oriented around Microsoft and Windows ecosystem products, with no parity for Linux or cross-platform scenarios.
Recommendations
  • Include explicit guidance for Linux environments, such as how Sentinel and Defender portal features interact with Linux-based workspaces and agents.
  • Add examples and references for Linux tools (e.g., Linux Log Analytics agents, Linux-based automation, integration with Linux SIEM tools) where relevant.
  • Clarify whether features like CMK, analytics rules, automation, and APIs work identically on Linux workspaces, and document any differences.
  • Provide parity in terminology and instructions for both Windows and Linux, ensuring that Linux users can follow the transition process without ambiguity.
  • Reference cross-platform best practices and highlight any platform-specific limitations or requirements.
GitHub Create Pull Request
Sentinel Advanced Security Information Model (ASIM) security content | Microsoft Docs ...s/blob/main/articles/sentinel/normalization-content.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Powershell Heavy 🔧 Windows Tools Missing Linux Example Windows First
Summary
The documentation page demonstrates a noticeable Windows bias. Many examples and hunting queries focus on Windows-specific tools (e.g., PowerShell, rundll32.exe, certutil, Exchange PowerShell Snapin), and several analytic rules and queries are tailored to Windows process activity and registry manipulation. There is a lack of Linux-specific examples, tools, or patterns, and the content prioritizes Windows-centric threats and detection methods. Linux equivalents or cross-platform considerations are missing throughout the document.
Recommendations
  • Add Linux-specific analytic rules and hunting queries, such as detection of suspicious bash scripts, cron job persistence, or common Linux malware behaviors.
  • Include examples of Linux process activity (e.g., suspicious use of bash, sh, systemd, or common Linux binaries like curl, wget, netcat) alongside Windows examples.
  • Provide parity for registry activity by mentioning Linux equivalents (e.g., manipulation of configuration files like /etc/passwd, /etc/shadow, or systemd service files).
  • Balance PowerShell-heavy examples with Linux shell script or command-line examples (e.g., detection of malicious shell scripts, use of sudo, or abuse of system utilities).
  • Explicitly note cross-platform applicability of ASIM where relevant, and clarify which rules or queries are Windows-only versus platform-agnostic.
  • Where possible, reference Linux security tools (e.g., auditd, syslog, journald, SELinux) and how their logs can be normalized and analyzed within ASIM.
GitHub Create Pull Request
Sentinel The Advanced Security Information Model (ASIM) Application Entity reference .../articles/sentinel/normalization-entity-application.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Missing Linux Example 🔧 Windows Tools
Summary
The documentation page demonstrates Windows bias by providing only Windows-style examples for process-related fields (e.g., file paths like 'C:\Windows\explorer.exe'), referencing Windows-specific concepts (GUIDs, Windows process paths), and mentioning Windows before Linux in explanatory notes. There are no Linux-specific examples (such as '/usr/bin/bash'), nor are Linux tools or conventions discussed.
Recommendations
  • Add Linux-specific examples for fields such as ProcessName (e.g., '/usr/bin/bash') and Process (e.g., '/usr/bin/sshd').
  • Include Linux process ID formats and conventions in explanations, and mention Linux tools (e.g., systemd services, /proc filesystem) where relevant.
  • Present Windows and Linux examples side-by-side to ensure parity and avoid implying Windows is the default or primary platform.
  • Clarify that GUIDs may not be standard on Linux, and discuss Linux equivalents (such as process UUIDs if available).
GitHub Create Pull Request
Sentinel The Advanced Security Information Model (ASIM) Alert Events normalization schema reference | Microsoft Docs ...b/main/articles/sentinel/normalization-schema-alert.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Missing Linux Example
Summary
The documentation page demonstrates Windows bias primarily through examples and field descriptions that reference Windows-specific concepts, tools, and patterns (e.g., file paths like C:\Windows\System32\notepad.exe, registry keys, process names, and user naming conventions such as Contoso\JSmith). There are no equivalent Linux examples (such as /etc/passwd, /usr/bin/bash, or Linux process/user conventions), and Windows terminology appears first and exclusively in many places. No PowerShell-specific examples are present, but the overall schema and examples are heavily Windows-centric.
Recommendations
  • Add Linux-specific examples alongside Windows ones for fields like FilePath, ProcessName, RegistryKey, and Username (e.g., /var/log/syslog, /usr/bin/sshd, /etc/passwd, user@domain).
  • Include notes or tables mapping Windows concepts to their Linux equivalents (e.g., registry vs. config files, SID vs. UID/GID).
  • Ensure that field descriptions and sample values reflect cross-platform applicability, not just Windows environments.
  • Where possible, mention Linux detection tools and patterns (e.g., auditd, syslog, Linux EDRs) in the DetectionMethod and related sections.
  • Review all examples and field guidelines to ensure parity and inclusivity for Linux and other non-Windows platforms.
GitHub Create Pull Request
Sentinel The Advanced Security Information Model (ASIM) Audit Events normalization schema reference | Microsoft Docs ...b/main/articles/sentinel/normalization-schema-audit.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Windows Examples Windows Terms
Summary
The documentation page exhibits a mild Windows bias. Windows terminology and examples (e.g., domain\hostname format, Windows usernames, Windows 10 OS, svchost.exe) are used preferentially or exclusively in field descriptions and examples. Windows-specific patterns (such as SIDs, domain\hostname, and username types) are referenced without equivalent Linux or Unix examples. Linux/Unix tools, formats, or user conventions are not mentioned, and examples do not show Linux/Unix alternatives.
Recommendations
  • Add Linux/Unix-specific examples for fields such as hostnames, usernames, OS types, and application paths (e.g., /usr/bin/sshd, user@domain, Ubuntu 22.04).
  • Clarify that fields like FQDN, username, and OS type can represent Linux/Unix values and provide sample values.
  • Include references to Linux/Unix audit sources and patterns (e.g., auditd, syslog, /var/log/auth.log) in relevant field descriptions.
  • Where Windows-specific formats (e.g., domain\hostname, SIDs) are mentioned, also describe Linux/Unix equivalents (e.g., UID/GID, user@host).
  • Ensure that documentation language and examples are platform-neutral or balanced between Windows and Linux/Unix.
GitHub Create Pull Request
Sentinel The Advanced Security Information Model (ASIM) DNS normalization schema reference | Microsoft Docs ...lob/main/articles/sentinel/normalization-schema-dns.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Windows Heavy Examples
Summary
The documentation demonstrates a moderate Windows bias. Windows terminology, examples, and formats (such as domain\hostname, SIDs, and file paths like C:\Windows\explorer.exe) are frequently used and often appear before or instead of Linux equivalents. Fields and examples often reference Windows-specific concepts (domain, SID, process paths), and guidance for Linux is limited to brief mentions (e.g., 'on Windows and Linux this value must be numeric'). There are no Linux-specific examples, tools, or patterns, and the schema field descriptions and sample values are overwhelmingly Windows-centric.
Recommendations
  • Add Linux-specific examples for fields such as SrcProcessName (e.g., /usr/bin/bash), SrcHostname (e.g., ubuntu-server), and SrcUserId (e.g., UID/GID formats).
  • Document Linux domain and hostname conventions alongside Windows formats, especially in fields like SrcDomainType and SrcFQDN.
  • Include Linux-specific process ID formats and conversion notes, such as hexadecimal PID representations in Linux.
  • Provide guidance or examples for common Linux DNS servers (e.g., BIND, dnsmasq, Unbound) and their event formats.
  • Ensure that field descriptions and sample values alternate or balance between Windows and Linux, rather than defaulting to Windows first.
  • Reference Linux authentication and user identification schemes (e.g., PAM, /etc/passwd) where relevant in user fields.
  • Explicitly mention Linux logging tools and patterns (e.g., syslog, journald) in sections about event collection.
GitHub Create Pull Request
Sentinel The Advanced Security Information Model (ASIM) File Event normalization schema reference| Microsoft Docs ...n/articles/sentinel/normalization-schema-file-event.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 3 bias types
Detected Bias Types
Windows First Windows Examples 🔧 Windows Tools
Summary
The documentation exhibits a mild Windows bias. Windows concepts, tools, and examples are presented before their Linux/Unix equivalents, and Windows-specific terminology is used more frequently. For example, the only concrete example in the 'Schema overview' uses 'Windows File Explorer', and in field descriptions, Windows paths (e.g., 'C:\Windows\System32\notepad.exe') are listed before Unix paths. Windows-specific notes (such as session ID conversion) are more detailed than those for Linux. While Unix paths and concepts are mentioned, they are secondary and less emphasized.
Recommendations
  • Provide Linux/Unix examples alongside Windows examples in all relevant sections, especially in the 'Schema overview' and field tables.
  • Alternate the order of Windows and Linux/Unix examples to avoid implicit prioritization.
  • Include references to Linux/Unix tools and processes (e.g., mention 'Nautilus' or 'mv' alongside 'Windows File Explorer' in examples).
  • Expand notes and guidance for Linux/Unix systems to match the detail given for Windows (e.g., session ID conversion, path normalization).
  • Ensure that all field descriptions and examples are platform-neutral or explicitly cover both Windows and Linux/Unix cases.
GitHub Create Pull Request
Sentinel The Advanced Security Information Model (ASIM) Process Event normalization schema reference | Microsoft Docs ...rticles/sentinel/normalization-schema-process-event.md
High Priority View Details →
Scanned: 2026-01-10 00:00
Reviewed by: LLM Analysis
Issues: 4 bias types
Detected Bias Types
Windows First 🔧 Windows Tools Windows Examples Missing Linux Example
Summary
The documentation demonstrates a Windows bias through the use of Windows-centric examples (e.g., file paths like 'C:\Windows\explorer.exe', 'C:\Windows\System32\rundll32.exe'), references to Windows-specific concepts (such as integrity levels and User Access Control), and links to Windows documentation. Linux equivalents (e.g., Linux file paths, process integrity concepts, or privilege elevation mechanisms) are not provided, and examples or explanations for Linux systems are missing. The documentation also references Windows-specific tools and patterns before mentioning Linux, if at all.
Recommendations
  • Include Linux-specific examples alongside Windows examples, such as process names ('/usr/bin/bash'), file paths ('/usr/bin/sshd'), and command lines.
  • Document Linux equivalents for concepts like process integrity levels and privilege elevation (e.g., SELinux contexts, capabilities, sudo usage).
  • Reference Linux documentation (e.g., man pages, kernel docs) where appropriate, in addition to Windows documentation.
  • Clarify which fields or concepts are OS-specific and provide guidance for both Windows and Linux implementations.
  • Ensure that examples and field descriptions alternate or balance between Windows and Linux, rather than defaulting to Windows first.
  • Add notes or tables comparing how process events are reported and normalized across Windows and Linux systems.
GitHub Create Pull Request
Previous Page 4 of 20 Next