NSK200 Netskope Certified Cloud Security Integrator Exam Questions and Answers

To identify and monitor the specific forms used by the city and block the employees from downloading completed forms, you need to use document fingerprinting. Document fingerprinting is a feature that allows you to create a unique signature for a document based on its content and structure. You can then use this signature to match other documents that are similar or identical to the original document3. You can create a document fingerprinting profile in Netskope by uploading a sample document or selecting one from your cloud services4. You can then use this profile in your data protection policies to apply actions such as block, alert, or quarantine to the documents that match the fingerprint5. Therefore, option C is correct and the other options are incorrect. References: Document Fingerprinting - Netskope Knowledge Portal, Create a Document Fingerprinting Profile - Netskope Knowledge Portal, Add a Policy for Data Protection - Netskope Knowledge Portal

You can use SCIM version 2 for user provisioning in this scenario. SCIM (System for Cross-domain Identity Management) is a standard protocol for exchanging identity information across different cloud applications. Netskope supports SCIM version 2 and can integrate with identity providers (IdPs) that follow the same standard, such as Microsoft Azure AD, Okta, OneLogin, and Ping Identity. You can use SCIM to provision users and groups from multiple Active Directory forests to a Netskope tenant. The other options are not valid for this scenario. The Netskope Adapter Tool and the Netskope virtual appliance are used for user identification, not provisioning. They can only connect to one Active Directory forest at a time. You do not need to migrate to Azure AD or Okta to provision users, as Netskope supports other IdPs that use SCIM as well. References: Provisioning Users for Netskope Client1, SCIM Integration2

To enable your users access to the application using NPA, you need to complete these two steps: B. Enable traffic steering for private applications and C. Create a Real-time Protection policy that allows your users to access the application. Traffic steering is the process of directing the user’s traffic to the Netskope cloud platform for inspection and policy enforcement. You need to enable traffic steering for private applications in your traffic steering profile to allow the Netskope client to tunnel the traffic to the private application through the Netskope cloud1. A Real-time Protection policy is a rule that specifies the actions and notifications that Netskope applies to the user’s traffic based on various criteria. You need to create a Real-time Protection policy that allows your users to access the private application by selecting the application name, the user group, and the allow action in the policy page2.Therefore, options B and C are correct and the other options are incorrect. References: Traffic Steering Profile - Netskope Knowledge Portal, Add a Policy for Real-time Protection - Netskope Knowledge Portal

The Netskope client can be disabled by the administrator from the Netskope console. This is useful for troubleshooting or maintenance purposes. When the client is disabled by the administrator, it shows the status as “Admin Disabled” and does not apply any policies or steer any traffic. The user cannot enable the client unless the administrator enables it from the console. The other options are not valid reasons for the client to be in an “Admin Disabled” state. References: Netskope Client Status 1, Enable or Disable Netskope Client 2

To solve the problem of providing quick, safe access to uncategorized and risky websites, the Netskope feature that the customer should use is Netskope Remote Browser Isolation (RBI). Netskope RBI is a part of the Netskope Secure Web Gateway offering that intercepts a user’s browsing session to a website, acting as a proxy that fetches the content for that user and renders the content in an isolated browsing instance. The rendered content is delivered to the user’s browser as a safe stream of pixels. This safely silos the end user’s device and the enterprise network and systems, separating it from their browsing activity and restricting the ability of an attacker to establish control and / or breach other systems and exfiltrate data1. Netskope RBI can be easily invoked with an ‘isolate’ policy action within the Netskope Security Cloud for any website category or domain2. Therefore, option B is correct and the other options are incorrect. References: Remote Browser Isolation - Netskope Knowledge Portal, Netskope Remote Browser Isolation - Netskope

To deploy the Netskope client to all company users on Windows laptops without user intervention, you can use either SCCM or GPO. These are two methods of packaging the application and pushing it silently to the user’s device using Microsoft tools4. These methods donot require the user to have local admin privileges or to initiate the installation themselves. They also allow enforcing the use of the client through company policy. The Netskope client can authenticate the user using Azure ADFS as the identity provider, as long as the UPN of the logged in user matches the directory5

For the use case of managed Windows-based endpoints where no clients or agents can be added, you can suggest that the customer use Netskope’s Explicit Proxy. Explicit Proxy is a method for steering traffic from any device to the Netskope Cloud using a proxy server. There are two supported configurations for this use case: Endpoints can be configured to directly use the Netskope proxy by setting the proxy settings in the browser or the operating system to point to the explicit proxy destination provided by Netskope. Endpoints can be configured to use a Proxy Auto Configuration (PAC) file by downloading a PAC file template from Netskope and modifying it according to the customer’s needs. The PAC file can be hosted on-premises or on the cloud and distributed to the endpoints. The other options are not valid for this use case. Endpoints do not need separate steering configurations in the tenant settings, as they can use the same explicit proxy destination and port. Endpoints do not need to be configured in the device section of the tenant to interoperate with all proxies, as this is only required for reverse proxy mode. References: Explicit Proxy3, [Explicit Proxy over IPSec and GRE Tunnels]

The problem in this scenario is that the Netskope client connection is being decrypted by a network security device. This is evident from the log message “ERROR SSL certificate verification failed: self signed certificate in certificate chain”. This means that the Netskope client is receiving a certificate that is not issued by Netskope, but by a device that is intercepting and decrypting the traffic between the client and the Netskope cloud. This can cause the client to fail to download the required configuration and remain in a disabled state1. Therefore, option B is correct and the other options are incorrect. References: Troubleshooting Netskope Client - Netskope Knowledge Portal, Using Netskope Client - Netskope Knowledge Portal

To monitor the activities that users perform on a homegrown cloud application, you need to create a new cloud application definition using the Chrome extension. The Chrome extension is a tool that allows you to record the traffic and activities of any web-based application and create a custom app definition that can be imported into your Netskope tenant1. This way, you can enable Netskope to detect and analyze the activities of your homegrown cloud application and apply policies accordingly. Therefore, option D is correct and the other options are incorrect. References: Creating a Cloud App Definition - Netskope Knowledge Portal

A reverse proxy integrated with their SSO would satisfy the requirements for this scenario. A reverse proxy intercepts requests from users to cloud apps and applies policies based on user identity, device posture, app, and data context. It can enforce DLP controls to prohibit downloading sensitive files to unmanaged devices. It can also integrate with the customer’s SSO provider to authenticate users and allow access only to the corporate instance of OneDrive.The other steering methods are not suitable for this scenario because they either require the Netskope client or do not provide granular control over cloud app activities.

The best deployment method for remote and traveling users is to use a Netskope client. The Netskope client is a lightweight software agent that runs on the user’s device and steers web and cloud traffic to the Netskope cloud for real-time inspection and policy enforcement1. The Netskope client provides an always-on end user remote access experience and avoids backhauling (or hairpinning) remote users through the corporate network to access applications in public cloud environments2. The Netskope client also supports offline mode, which allows users to work offline and sync their policies when they reconnect to the internet

Netskope’s REST API v2 provides access to various event types via URI paths. The event types include application, alert, infrastructure, audit, incident, network, and page. These event types can be used to retrieve data from Netskope’s cloud security platform. The event types client and user are not supported by the REST API v2. References: REST API v2 Overview, Cribl Netskope Events and Alerts Integration, REST API Events and Alerts Response Descriptions

The statement that describes a requirement for deploying a Netskope Private Application (NPA) Publisher is C. The publisher must be deployed on the network where the private application will be accessed. A NPA Publisher is a software component that enables Netskope to discover resources that users will connect to via NPA. A NPA Publisher must be deployed on the same network as the private application that it will publish, such as a public cloud environment (AWS, Azure, GCP) or a private data center3. This ensures that the NPA Publisher can communicate with the private application and relay its traffic to the NPA service in the Netskope cloud. Therefore, option C is correct and the other options are incorrect. References: Deploy a Publisher - Netskope Knowledge Portal

To investigate which of the Netskope DLP policies are creating the most incidents, the following two statements are true:

• You can see the top five DLP policies triggered using the Analyze feature. The Analyze feature allows you to create custom dashboards and widgets to visualize and explore your data. You can use the DLP Policy widget to see the top five DLP policies that generated the most incidents in a given time period3.
• You can create a report using Reporting or Advanced Analytics. The Reporting feature allows you to create scheduled or ad-hoc reports based on predefined templates or custom queries. You can use the DLP Incidents by Policy template to generate a report that shows the number of incidents per DLP policy4. TheAdvanced Analytics feature allows you to run SQL queries on your data and export the results as CSV or JSON files. You can use the DLP_INCIDENTS table to query the data by policy name and incident count5.

The other two statements are not true because:

• The Skope IT Applications tab will not list the top five DLP policies. The Skope IT Applications tab shows the cloud app usage and risk summary for your organization. It does not show any information about DLP policies or incidents6.
• The Skope IT Alerts tab will not list the top five DLP policies. The Skope IT Alerts tab shows the alerts generated by various policies and profiles, such as DLP, threat protection, IPS, etc. It does not show the number of incidents per policy, only the number of alerts per incident7.

To create an API token to allow a DevSecOps engineer to create and update a URL list using REST API v2, you need to provide read and write access for the “/urllist” endpoint. The “/urllist” endpoint is the API endpoint that allows you to manage URL lists in your Netskope tenant. You can use this endpoint to perform operations such as create, update, delete, or list URL lists3. To create an API token with this privilege, you need to go to Settings > Tools > REST API v2 > New Token, enter a token name and expiration time, add the “/urllist” endpoint, and select Read+Write as the privilege4. This will allow the DevSecOps engineer to use the API token in their requests to create and update URL lists. Therefore, option B is correct and the other options are incorrect. References: REST API v2 Overview - Netskope Knowledge Portal, Manage URL Lists - Netskope Knowledge Portal