NSK200 Netskope Certified Cloud Security Integrator (NCCSI) Questions and Answers

To prevent a document stored in Google Drive from being shared externally with a public link, you need to configure an API Data Protection policy in Netskope.  An API Data Protection policy allows you to discover, classify, and protect data that is already resident in your cloud services, such as Google Drive 1 . You can create a policy that matches the documents you want to protect based on criteria such as users, content, activity, or DLP profiles.  Then, you can choose an action to prevent the documents from being shared externally, such as remove external collaborators, remove public links, or quarantine 2 . Therefore, option B is correct and the other options are incorrect. References:  API Data Protection - Netskope Knowledge Portal ,  Add a Policy for API Data Protection - Netskope Knowledge Portal

The statement that describes how Netskope’s REST API, v1 and v2, handles authentication is A. Both REST API v1 and v2 require the use of tokens to make calls to the API. A token is a unique string that identifies the user or application that is making the API request.  The token must be included in the HTTP header of every API call as an authorization parameter 1 .  The token can be generated from the Netskope UI or from the Netskope Platform API 2 .  The token can also be revoked or refreshed as needed 3 . Therefore, option A is correct and the other options are incorrect. References:  REST API v1 Overview - Netskope Knowledge Portal ,  Netskope Platform API Endpoints for REST API v1 - Netskope Knowledge Portal ,  REST API v2 Overview - Netskope Knowledge Portal

Allowing UDP port 443 is recommended to support DTLS, which enhances performance over the Netskope tunnel. TCP port 443 must also be allowed as it is essential for secure HTTPS connections used by Netskope services​​.

Deploying the Netskope client using an email invitation allows smaller companies to onboard users easily without relying on integration with AD, LDAP, or an IdP. This method is efficient for smaller teams that need a quick deployment without complex setup​.

To prevent traffic from the sales team to a custom Web application from being inspected by Netskope, you need to create a Do Not Decrypt Policy using User Group and Domain in the policy page.  A Do Not Decrypt Policy allows you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies 3 . You can use the User Group criteria to match the sales team members and the Domain criteria to match the custom Web application. This way, only the traffic from the sales team to the custom Web application will be exempted from decryption, while all other traffic to the Web application will continue to be inspected. 

Netskope REST API v2 supports multiple tokens, allowing different applications or integrations (like QRadar and Rapid7) to have distinct tokens. This avoids token conflicts and enhances security by isolating access permissions for different SIEM systems​​.

Integrating with EDR vendors like Crowdstrike requires an API Client ID for authentication and data sharing. A remediation profile is also necessary to define automated actions that can be taken when threats are detected, ensuring effective response to endpoint threats​​.

Adding a Skope IT query to a custom watchlist allows the query to be saved and easily accessed. Saving the watchlist and managing filters also lets you customize it further and share it with others in your organization if needed​​.

For DLP policies to detect sensitive data like credit card numbers, the data must contain valid credit card numbers as defined by the DLP pattern. Invalid or incorrectly formatted numbers will not trigger DLP policy hits​​.

DTLS (Datagram Transport Layer Security) is a protocol that provides secure communication over UDP. It is an option that can be enabled in the client configuration settings in the Netskope tenant. Enabling DTLS can improve the performance of the Netskope client, especially in high latency or packet loss scenarios.  DTLS is not related to Real-time Protection policies, SSL decryption policies, or steering configuration, which are different configuration elements in the Netskope tenant.  References : Client Configuration Settings  3 , Netskope Client Performance  4

To identify and monitor the specific forms used by the city and block the employees from downloading completed forms, you need to use document fingerprinting. Document fingerprinting is a feature that allows you to create a unique signature for a document based on its content and structure.  You can then use this signature to match other documents that are similar or identical to the original document 3 .  You can create a document fingerprinting profile in Netskope by uploading a sample document or selecting one from your cloud services 4 .  You can then use this profile in your data protection policies to apply actions such as block, alert, or quarantine to the documents that match the fingerprint 5 . Therefore, option C is correct and the other options are incorrect. References:  Document Fingerprinting - Netskope Knowledge Portal ,  Create a Document Fingerprinting Profile - Netskope Knowledge Portal ,  Add a Policy for Data Protection - Netskope Knowledge Portal

To discover new cloud applications in use within an organization, three methods that would accomplish this task are B. Deploy an On-Premises Log Parser (OPLP), C. Use forward proxy steering methods to direct cloud traffic to Netskope, and E. Upload firewall or proxy logs directly into the Netskope platform. An On-Premises Log Parser (OPLP) is a software component that allows you to parse logs from your on-premises firewall or proxy devices and send them to the Netskope cloud for analysis and reporting.  You can deploy an OPLP on a Linux server in your network and configure it to connect to your log sources and upload logs periodically or in real time 3 . A forward proxy steering method is a way of directing your web traffic from your users’ devices or browsers to the Netskope cloud for inspection and policy enforcement.  You can use forward proxy steering methods such as PAC file, VPN, or inline proxy to steer traffic to Netskope and discover new cloud applications in use 4 . Uploading firewall or proxy logs directly into the Netskope platform is a way of manually sending logs from your log sources to the Netskope cloud for analysis and reporting.  You can upload firewall or proxy logs directly into the Netskope platform by going to SkopeIT > Settings > Log Upload > New Log Upload and selecting the log source type, file format, log file, and time zone 5 . Therefore, options B, C, and E are correct and the other options are incorrect. References:  On-Premises Log Parser - Netskope Knowledge Portal ,  Traffic Steering - Netskope Knowledge Portal ,  Upload Firewall or Proxy Logs Directly into the Platform - Netskope Knowledge Portal

The problem is B. The Active Directory user is not synchronized to the Netskope tenant. This is evident from the log message “WARNING No mail ID for the user: Clarke, Daxmeifield, DC=local, skipping use”. This means that the user Clarke does not have a valid email address in the Active Directory, which is required for the Netskope client to work. The Netskope client uses the email address of the user to authenticate and enable the client. Therefore, option B is correct and the other options are incorrect.

Netskope SaaS Security Posture Management (SSPM) is designed to automate the detection and remediation of security misconfigurations across SaaS applications, including GitHub, Microsoft 365, Salesforce, ServiceNow, and Zoom. SSPM provides visibility into and correction of misconfigurations to protect corporate data in cloud applications​.

To provision Netskope users from Okta with SCIM Provisioning, and users are not showing up in the tenant, the two Netskope components that you should verify first in Okta for accuracy are B. OAuth token and D. SCIM server URL.  The OAuth token is a credential that allows Okta to authenticate with the Netskope SCIM server and perform user provisioning operations 4 .  The SCIM server URL is the endpoint that Okta uses to communicate with the Netskope SCIM server and send user data 5 . Both of these components must be configured correctly in Okta for the SCIM Provisioning to work.  You can find them in the Netskope UI under Settings > Tools > Directory Tools > SCIM Integration 6 . Therefore, options B and D are correct and the other options are incorrect. References:  SCIM-Based User Provisioning - Netskope Knowledge Portal ,  Netskope + Okta Use Case: Provisioning Users and Managing Groups Using SCIM - Netskope ,  Netskope Partner Okta - Netskope

To solve the problem of providing quick, safe access to uncategorized and risky websites, the Netskope feature that the customer should use is Netskope Remote Browser Isolation (RBI). Netskope RBI is a part of the Netskope Secure Web Gateway offering that intercepts a user’s browsing session to a website, acting as a proxy that fetches the content for that user and renders the content in an isolated browsing instance. The rendered content is delivered to the user’s browser as a safe stream of pixels.  This safely silos the end user’s device and the enterprise network and systems, separating it from their browsing activity and restricting the ability of an attacker to establish control and / or breach other systems and exfiltrate data 1 .  Netskope RBI can be easily invoked with an ‘isolate’ policy action within the Netskope Security Cloud for any website category or domain 2 . Therefore, option B is correct and the other options are incorrect. References:  Remote Browser Isolation - Netskope Knowledge Portal ,  Netskope Remote Browser Isolation - Netskope

Creating a real-time threat protection policy specifically targeting the " Cloud Storage " category ensures that all supported cloud storage applications are covered by malware protection. This approach allows real-time scanning and response to malware threats within cloud storage environments​​.

To create a DLP profile that will ensure that the data shown in the exhibit cannot be uploaded to a user’s personal Google Drive, you need to use optical character recognition (OCR). OCR is a feature that allows you to detect and extract text from images and scanned documents.  You can use OCR in your DLP profiles to identify sensitive data that is embedded or hidden in images 1 . In the exhibit, we can see that the data is a credit card number, which is a type of sensitive data that can be easily identified by OCR. You can create a DLP profile that uses OCR and matches the credit card number data identifier or a custom regex expression.  You can then apply an action such as block, alert, or quarantine to prevent the data from being uploaded to Google Drive 2 . Therefore, option C is correct and the other options are incorrect. References:  Optical Character Recognition (OCR) - Netskope Knowledge Portal ,  Add a Policy for Data Protection - Netskope Knowledge Portal

To identify unusual user activity, filter alerts by " uba " (User Behavior Analytics) and " anomaly. " UBA and anomaly alerts highlight deviations from typical user behavior, which are indicators of unusual or potentially risky activities​​.

The SCIMApp integration is the best choice for Azure AD as it allows for seamless user provisioning between cloud-based IdPs and Netskope. SCIM (System for Cross-domain Identity Management) is a standard for automating user provisioning and works effectively with cloud IdPs like Azure AD​​.

The Dictionary feature in Netskope DLP is designed to detect specific keywords or phrases, such as " Confidential " or " Access key. " By using a pre-defined list of sensitive terms, the Dictionary feature enables policy enforcement based on the presence of these keywords in data​​.

The configuration page shown in the exhibit is used to onboard Active Directory users to a Netskope tenant. This is done by configuring the Active Directory settings in the Netskope platform and then importing the users from Active Directory. The configuration page allows you to specify the following parameters:

Directory Service: The type of directory service that you are using, such as Active Directory or LDAP.

Domain Name: The name of your Active Directory domain, such as example.com.

Domain Controller: The IP address or hostname of your Active Directory domain controller, such as dc1.example.com.

Username: The username of an account that has read access to your Active Directory, such as administrator@example.com.

Password: The password of the account that has read access to your Active Directory.

Base DN: The base distinguished name of the container or organizational unit that contains the users and groups that you want to import, such as OU=Users,DC=example,DC=com.

User Filter: The LDAP filter that defines the criteria for selecting the users that you want to import, such as (objectClass=user).

Group Filter: The LDAP filter that defines the criteria for selecting the groups that you want to import, such as (objectClass=group).

After configuring these parameters, you can click on Test Connection to verify that the connection to your Active Directory is successful. Then you can click on Import Users to start importing the users and groups from your Active Directory to your Netskope tenant.

References :  Onboarding Active Directory Users to a Netskope Tenant 1

GRE tunnels are the optimal choice in this scenario. GRE is a commonly used, non-encrypted tunneling protocol that supports a variety of device operating systems, and it offers efficient bandwidth usage without encryption overhead, which aligns with the company’s requirements​​.

You can use SCIM version 2 for user provisioning in this scenario. SCIM (System for Cross-domain Identity Management) is a standard protocol for exchanging identity information across different cloud applications. Netskope supports SCIM version 2 and can integrate with identity providers (IdPs) that follow the same standard, such as Microsoft Azure AD, Okta, OneLogin, and Ping Identity. You can use SCIM to provision users and groups from multiple Active Directory forests to a Netskope tenant. The other options are not valid for this scenario. The Netskope Adapter Tool and the Netskope virtual appliance are used for user identification, not provisioning. They can only connect to one Active Directory forest at a time.  You do not need to migrate to Azure AD or Okta to provision users, as Netskope supports other IdPs that use SCIM as well.  References :  Provisioning Users for Netskope Client 1 ,  SCIM Integration 2