Forum Discussion
Clarification on UEBA Behaviors Layer Support for Zscaler and Fortinet Logs
You're reading the docs correctly. Zscaler and Fortinet are not currently supported by the UEBA Behaviors Layer, even though their logs land in the CommonSecurityLog table.
This is a common point of confusion. Just because a vendor writes to CommonSecurityLog doesn't mean the Behaviors Layer will pick it up. Microsoft is explicit about this in the documentation. The Behaviors Layer only generates behavior records for supported vendors and log types within that table. Right now, that's limited to:
- CyberArk Vault
- Palo Alto Threats
So your Zscaler and Fortinet logs will sit in CommonSecurityLog just fine, but the Behaviors Layer won't produce any behavior insights from them. You won't see behavior records, and that's expected. It's not a configuration issue on your end.
Now here's where it gets interesting. Microsoft has said the list of supported data sources and vendors is "evolving." They're actively expanding coverage. If you look at the UEBA anomaly side of things (separate from the Behaviors Layer), they recently added support for Okta, GCP, and additional AWS sources. So the trajectory is clearly toward broader vendor support.
What you can do right now:
- Keep ingesting Zscaler and Fortinet into CommonSecurityLog as normal
- Use standard UEBA anomaly detection (which works on sign-in data regardless of the Behaviors Layer)
- Write custom analytics rules against those logs to fill the gap
- Watch for updates as Microsoft expands the supported vendor list during the preview
The full breakdown of what's supported is here: https://learn.microsoft.com/azure/sentinel/entity-behaviors-layer#supported-data-sources-and-behaviors
Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.