Hi everyone,
I'm currently working on some detection rules and tuning false positives for Netskope DLP/Governance alerts (NETSKOPE_ALERT_V2).
I noticed a specific abstraction behavior with the default parser regarding the User-Agent field and wanted to clarify how it works under the hood.
In the raw JSON log, we receive the exact user agent string from the Netskope forwarder. For example: "useragent": "Microsoft SkyDriveSync 26.022.0203.0006 ship; Windows NT 10.0 (26200)"
However, in the parsed UDM, the original string is completely dropped, and the fields are populated as follows:
-
network.http.parsed_user_agent.family = "USER_DEFINED" -
network.http.user_agent = "Native"
Since losing the raw string limits our ability to write granular exceptions for specific sync clients without heavily relying on URLs or app names, my questions are:
-
Why does the parser map the specific raw user agent string to
"Native"instead of preserving the original value in the UDM (e.g., mapping it directly tonetwork.http.user_agentor storing it as a fallback inadditional.fields)? -
What exactly does
"Native"mean in the context of this specific UDM abstraction? Does it act as a hardcoded catch-all category for any non-browser desktop/sync client identified by Netskope?
Any insights into the parser logic or plans to retain the raw string in future updates would be greatly appreciated!
Thanks.