NSK200 Netskope Certified Cloud Security Integrator (NCCSI) Questions and Answers

To automate the process of updating Web policies without having to log into the Netskope tenant, you can use REST API to update the URL list. REST API is a feature that allows you to use an auth token to make authorized calls to the Netskope API and access resources via URI paths1. You can use REST API to update a URL list with new values by providing the name of an existing URL list and a comma-separated list of URLs or IP addresses2. This can help you automate or script the management of your URL lists and keep them up-to-date. Therefore, option D is correct and the other options are incorrect. References: REST API v2 Overview - Netskope Knowledge Portal, Update a URL List - Netskope Knowledge Portal

To ensure that the traffic from the Zoom client is visible to Netskope, you need to remove the Zoom certificate-pinned application from the default steering configuration and remove the default steering exception for the Web Conferencing Category. A certificate-pinned application is an application that validates the server certificates against the hardcoded ones in the application. This is a security technique used to prevent man-in-the-middle attacks and secure access to the application. By default, Netskope bypasses the traffic from certificate-pinned applications and does not decrypt or inspect it3. Zoom is one of the predefined certificate-pinned applications that Netskope supports4. To enable Netskope to inspect the traffic from Zoom, you need to remove it from the steering configuration that applies to your users5. Additionally, you need to remove the default steering exception for the Web Conferencing Category, which includes Zoom and other similar applications. A steering exception is a rule that specifies the traffic that you want to bypass Netskope and go directly to the destination6. By removing this exception, you allow Netskope to steer and analyze the traffic from web conferencing applications. Therefore, options C and D are correct and the other options are incorrect. References: Certificate Pinned Applications - Netskope Knowledge Portal, Certificate Pinned App (CPA) - The Netskope Community, Steering Configuration - Netskope Knowledge Portal, Steering Exceptions - Netskope Knowledge Portal

To find the answers to the questions posed by the security incident response team, you need to search in the Application Events and Alerts tables in Skope IT. The Application Events table shows the details of the cloud application activities performed by the users, such as upload, download, share, etc. You can filter the Application Events table by the MD5 hash of the file to find out who has encountered this file and from which cloud service it was downloaded1. The Alerts table shows the details of the policy violations triggered by the users, such as DLP, threat protection, anomaly detection, etc. You can filter the Alerts table by the MD5 hash of the file to find out if this file was detected as malware by Netskope and what action was taken2. Therefore, options A and C are correct and the other options are incorrect. References: Application Events - Netskope Knowledge Portal, Alerts - Netskope Knowledge Portal

To help the customer with the scenario of malware in their AWS S3 buckets, two actions that would help are B. Enable Threat Protection (Malware Scan) for all of their AWS instances to identify malware and C. Create an API protection policy to quarantine malware in their AWS S3 buckets. Threat Protection (Malware Scan) is a feature that allows you to scan files in your cloud services, such as AWS S3, for malware using Netskope’s advanced threat protection engine. You can enable Threat Protection (Malware Scan) for all of your AWS instances in the Netskope tenant by going to Settings > Cloud Services > AWS > Threat Protection and selecting the Enable Malware Scan option1. This will help you identify malware in your AWS S3 buckets and generate alerts for further action. An API protection policy is a rule that specifies the actions and notifications that Netskope applies to the data that is already resident in your cloud services, such as AWS S3, based on various criteria. You can create an API protection policy to quarantine malware in your AWS S3 buckets by going to Policies > API Protection > New Policy and selecting the AWS service, the Malware Scan data identifier, and the Quarantine action in the policy page2. This will help you isolate malware in your AWS S3 buckets and prevent it from spreading or being accessed by unauthorized users. Therefore, options B and C are correct and the other options are incorrect. References: Threat Protection (Malware Scan) - Netskope Knowledge Portal, Add a Policy for API Protection - Netskope Knowledge Portal

The purpose of the file hash list in Netskope is to configure blocklist and allowlist entries referenced in the custom Malware Detection profiles. A file hash list is a collection of MD5 or SHA-256 hashes that represent files that you want to allow or block in your organization. You can create a file hash list when adding a file profile and use it as an allowlist or blocklist for files in your organization1. You can then select the file hash list when creating a Malware Detection profile2. 

To investigate which of the Netskope DLP policies are creating the most incidents, the following two statements are true:

You can see the top five DLP policies triggered using the Analyze feature. The Analyze feature allows you to create custom dashboards and widgets to visualize and explore your data. You can use the DLP Policy widget to see the top five DLP policies that generated the most incidents in a given time period3.

You can create a report using Reporting or Advanced Analytics. The Reporting feature allows you to create scheduled or ad-hoc reports based on predefined templates or custom queries. You can use the DLP Incidents by Policy template to generate a report that shows the number of incidents per DLP policy4. The Advanced Analytics feature allows you to run SQL queries on your data and export the results as CSV or JSON files. You can use the DLP_INCIDENTS table to query the data by policy name and incident count5.

The other two statements are not true because:

The Skope IT Applications tab will not list the top five DLP policies. The Skope IT Applications tab shows the cloud app usage and risk summary for your organization. It does not show any information about DLP policies or incidents6.

The Skope IT Alerts tab will not list the top five DLP policies. The Skope IT Alerts tab shows the alerts generated by various policies and profiles, such as DLP, threat protection, IPS, etc. It does not show the number of incidents per policy, only the number of alerts per incident7.

To allow the security team to use the test data file that was detected as a virus by the Netskope Heuristics Engine, the following two steps are correct:

Click the “Add To File Filter” button to add the IOC to a file list. This will exclude the file from future malware scans and prevent false positive alerts. The file list can be managed in the Settings > File Filter page1.

Click the “Lookup VirusTotal” button to verify if this IOC is a false positive. This will open a new tab with the VirusTotal report for the file hash. VirusTotal is a service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. The report will show how many antivirus engines detected the file as malicious and provide additional information about the file2.

https://docs.netskope.com/en/netskope-help/admin-console/incidents/

 A file profile is an object that contains a list of file hashes that can be used to create a malware detection profile. A file profile can be configured as an allowlist or a blocklist, depending on whether the files are known to be benign or malicious. A file profile can be created in the Settings > File Profile page1. A malware detection profile is a set of rules that define how Netskope handles malware incidents. A malware detection profile can be created in the Policies > Threat Protection > Malware Detection Profiles page2. To create a malware detection profile, one needs to select a file profile as an allowlist or a blocklist, along with the Netskope malware scan option. The other options are not objects that can be selected when creating a malware detection profile.

To prevent traffic from the sales team to a custom Web application from being inspected by Netskope, you need to create a Do Not Decrypt Policy using User Group and Domain in the policy page. A Do Not Decrypt Policy allows you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies3. You can use the User Group criteria to match the sales team members and the Domain criteria to match the custom Web application. This way, only the traffic from the sales team to the custom Web application will be exempted from decryption, while all other traffic to the Web application will continue to be inspected. 

The Dictionary feature in Netskope DLP is designed to detect specific keywords or phrases, such as "Confidential" or "Access key." By using a pre-defined list of sensitive terms, the Dictionary feature enables policy enforcement based on the presence of these keywords in data​​.

DTLS (Datagram Transport Layer Security) is a protocol that provides secure communication over UDP. It is an option that can be enabled in the client configuration settings in the Netskope tenant. Enabling DTLS can improve the performance of the Netskope client, especially in high latency or packet loss scenarios. DTLS is not related to Real-time Protection policies, SSL decryption policies, or steering configuration, which are different configuration elements in the Netskope tenant. References: Client Configuration Settings 3, Netskope Client Performance 4

To integrate Netskope with EDR vendors such as CrowdStrike and share threat data, a requirement for a successful integration is A. API Client ID. An API Client ID is a unique identifier that is used to authenticate and authorize requests to the EDR vendor’s API. You need to obtain an API Client ID from the EDR vendor and enter it in the Netskope tenant settings under Threat Protection > Integration. This will allow Netskope to communicate with the EDR vendor and exchange threat intelligence and remediation actions1. Therefore, option A is correct and the other options are incorrect. References: Integrating CrowdStrike for EDR - Netskope Knowledge Portal

In order to create a custom URL category to apply a secure Web gateway policy combining your own list of URLs and Netskope predefined categories, you must add the URL list to a Custom category. This is because Netskope allows you to create custom categories that can be used in policies to block or allow access to specific URLs. You can also include or exclude predefined categories and other URL lists in your custom category. To create a custom category, you need to go to Policies > Web > Custom Categories and click New Custom Category. Then you can select the predefined categories and URL lists that you want to include or exclude in your custom category. You also need to give your custom category a name and save it. After creating a custom category, you can apply it to a Real-time Protection policy by selecting it from the Categories dropdown. The other options are not valid tasks for creating a custom URL category. You do not need to add the URL list to the Client configuration, as this is only required for client-side steering methods. You do not need to add the URL list to a Steering configuration, as this is only required for network-side steering methods. You do not need to add the URL list to a Real-time Protection policy directly, as this will not allow you to combine it with predefined categories. References: Custom Category3, Create Custom Categories

To allow users to transparently leverage the local security stack when they return to the office, you need to follow these two statements: A. You must enable On-premises Detection in the client configuration and C. You must disable Dynamic Steering in the traffic steering profile. On-premises Detection is a feature that allows the Netskope client to detect whether it is on-premises or off-premises based on a DNS or HTTP probe. You need to enable On-premises Detection in the client configuration and specify a domain name or an HTTP address that is only accessible from your local network3. Dynamic Steering is a feature that allows you to steer different types of traffic differently based on various criteria such as user group, location, category, etc. You need to disable Dynamic Steering in the traffic steering profile or create an exception for your local network to bypass Netskope and use your local security stack4. Therefore, options A and C are correct and the other options are incorrect. References: Client Configuration - Netskope Knowledge Portal, Dynamic Steering - Netskope Knowledge Portal

To filter for logs specifically generated by the Netskope client, select "Client" from the access_method filter dropdown menu in Skope IT. This filter allows administrators to narrow down logs by access method, making it easier to troubleshoot issues related only to the Netskope client​​.

To monitor the activities that users perform on a homegrown cloud application, you need to create a new cloud application definition using the Chrome extension. The Chrome extension is a tool that allows you to record the traffic and activities of any web-based application and create a custom app definition that can be imported into your Netskope tenant1. This way, you can enable Netskope to detect and analyze the activities of your homegrown cloud application and apply policies accordingly. Therefore, option D is correct and the other options are incorrect. References: Creating a Cloud App Definition - Netskope Knowledge Portal

To allow both the user identities and groups to be imported in the Netskope platform, you can use either the System for Cross-domain Identity Management (SCIM) method or the Bulk Upload with a CSV file method. Both of these methods allow for the import of user identities and groups from different identity providers (IdPs) that support SCIM or CSV formats. The SCIM method is recommended for large-scale deployments, as it automates the exchange of user identity information across apps for user provisioning. The CSV method is recommended for small-scale deployments, as it allows for manual upload of user details in a comma-separated values file. The other methods are not suitable for this requirement. The Manual Entries method does not allow for the import of groups, only user emails. The Directory Importer method does not import users and groups directly into the Netskope platform, but rather connects to an Active Directory or LDAP server and periodically fetches user and group information.

References: Provisioning Users for Netskope Client2, SCIM Integration3, Bulk Upload via CSV file

Installing the Netskope client in "peruserconfig" mode allows for user-specific configurations on shared devices like those in a VDI environment. This mode enables Netskope to detect and report activities separately for each user, even if multiple users are logged into the same device​​.

To create a DLP profile that will ensure that the data shown in the exhibit cannot be uploaded to a user’s personal Google Drive, you need to use optical character recognition (OCR). OCR is a feature that allows you to detect and extract text from images and scanned documents. You can use OCR in your DLP profiles to identify sensitive data that is embedded or hidden in images1. In the exhibit, we can see that the data is a credit card number, which is a type of sensitive data that can be easily identified by OCR. You can create a DLP profile that uses OCR and matches the credit card number data identifier or a custom regex expression. You can then apply an action such as block, alert, or quarantine to prevent the data from being uploaded to Google Drive2. Therefore, option C is correct and the other options are incorrect. References: Optical Character Recognition (OCR) - Netskope Knowledge Portal, Add a Policy for Data Protection - Netskope Knowledge Portal

The method that would confirm the fail close status is B. Review the nsdebuglog.log. The nsdebuglog.log is a log file that contains information about the Netskope client’s status, configuration, events, errors, etc. You can review the nsdebuglog.log file to confirm the fail close status by looking for a line that says “failCloseStatus”:“1”. This indicates that the fail close option is enabled for the Netskope client4. The fail close option is a feature that allows you to block all web traffic when the Netskope client fails or loses connection to the Netskope cloud5. Therefore, option B is correct and the other options are incorrect. References: Troubleshooting Netskope Client - Netskope Knowledge Portal, Client Configuration - Netskope Knowledge Portal

To discover new cloud applications in use within an organization, three methods that would accomplish this task are B. Deploy an On-Premises Log Parser (OPLP), C. Use forward proxy steering methods to direct cloud traffic to Netskope, and E. Upload firewall or proxy logs directly into the Netskope platform. An On-Premises Log Parser (OPLP) is a software component that allows you to parse logs from your on-premises firewall or proxy devices and send them to the Netskope cloud for analysis and reporting. You can deploy an OPLP on a Linux server in your network and configure it to connect to your log sources and upload logs periodically or in real time3. A forward proxy steering method is a way of directing your web traffic from your users’ devices or browsers to the Netskope cloud for inspection and policy enforcement. You can use forward proxy steering methods such as PAC file, VPN, or inline proxy to steer traffic to Netskope and discover new cloud applications in use4. Uploading firewall or proxy logs directly into the Netskope platform is a way of manually sending logs from your log sources to the Netskope cloud for analysis and reporting. You can upload firewall or proxy logs directly into the Netskope platform by going to SkopeIT > Settings > Log Upload > New Log Upload and selecting the log source type, file format, log file, and time zone5. Therefore, options B, C, and E are correct and the other options are incorrect. References: On-Premises Log Parser - Netskope Knowledge Portal, Traffic Steering - Netskope Knowledge Portal, Upload Firewall or Proxy Logs Directly into the Platform - Netskope Knowledge Portal

The SCIMApp integration is the best choice for Azure AD as it allows for seamless user provisioning between cloud-based IdPs and Netskope. SCIM (System for Cross-domain Identity Management) is a standard for automating user provisioning and works effectively with cloud IdPs like Azure AD​​.

To reduce false positives by only triggering policies when contents of your customer database are uploaded to Dropbox, you can use two methods: Upload the .csv export to the Netskope tenant DLP rules section to create an exact match hash. This is a method that allows you to upload a file containing structured data, such as a customer database, to the Netskope tenant and generate a hash of the data. The hash is then used to match the data in the cloud traffic and trigger DLP policies. This method is suitable for files that are less than 10 MB in size. To upload the file, you need to go to Policies > Data Protection > DLP Rules and click on Exact Match Hashes. Then you can select the file from your local system and upload it. Use a Netskope virtual appliance to create an exact match hash. This is a method that allows you to create a file containing structured data, such as a customer database, and upload it to the Netskope cloud using a virtual appliance. The virtual appliance encrypts the file before uploading it and generates a hash of the data. The hash is then used to match the data in the cloud traffic and trigger DLP policies. This method is suitable for files that are larger than 10 MB in size. To create the file, you need to follow a specific format and save it as a .csv file. To upload the file, you need to use the request dlp-pdd upload command on the virtual appliance CLI. The other options are not valid methods for this task. You cannot use the Netskope client to upload the .csv export to the Netskope management plane DLP container, as this is not a supported feature of the client. You cannot send the .csv export to Netskope using a support ticket with the subject, “create exact match hash”, as this is not a secure or efficient way of creating an exact match hash. References: Create an Exact Match Hash from the UI1, Create an Exact Match Hash from a Virtual Appliance2

The best deployment method for remote and traveling users is to use a Netskope client. The Netskope client is a lightweight software agent that runs on the user’s device and steers web and cloud traffic to the Netskope cloud for real-time inspection and policy enforcement1. The Netskope client provides an always-on end user remote access experience and avoids backhauling (or hairpinning) remote users through the corporate network to access applications in public cloud environments2. The Netskope client also supports offline mode, which allows users to work offline and sync their policies when they reconnect to the internet