NSK200 Netskope Certified Cloud Security Integrator (NCCSI) Questions and Answers

To allow the usage of Dropbox while maintaining visibility, create a new tenant steering exception of type "Destination Locations" for Dropbox. This will enable traffic visibility for Dropbox while avoiding a block, as requested​.

To provision Netskope users from Okta with SCIM Provisioning, and users are not showing up in the tenant, the two Netskope components that you should verify first in Okta for accuracy are B. OAuth token and D. SCIM server URL. The OAuth token is a credential that allows Okta to authenticate with the Netskope SCIM server and perform user provisioning operations4. The SCIM server URL is the endpoint that Okta uses to communicate with the Netskope SCIM server and send user data5. Both of these components must be configured correctly in Okta for the SCIM Provisioning to work. You can find them in the Netskope UI under Settings > Tools > Directory Tools > SCIM Integration6. Therefore, options B and D are correct and the other options are incorrect. References: SCIM-Based User Provisioning - Netskope Knowledge Portal, Netskope + Okta Use Case: Provisioning Users and Managing Groups Using SCIM - Netskope, Netskope Partner Okta - Netskope

To allow both the user identities and groups to be imported in the Netskope platform, you can use either the System for Cross-domain Identity Management (SCIM) method or the Bulk Upload with a CSV file method. Both of these methods allow for the import of user identities and groups from different identity providers (IdPs) that support SCIM or CSV formats. The SCIM method is recommended for large-scale deployments, as it automates the exchange of user identity information across apps for user provisioning. The CSV method is recommended for small-scale deployments, as it allows for manual upload of user details in a comma-separated values file. The other methods are not suitable for this requirement. The Manual Entries method does not allow for the import of groups, only user emails. The Directory Importer method does not import users and groups directly into the Netskope platform, but rather connects to an Active Directory or LDAP server and periodically fetches user and group information.

References: Provisioning Users for Netskope Client2, SCIM Integration3, Bulk Upload via CSV file

For the use case of managed Windows-based endpoints where no clients or agents can be added, you can suggest that the customer use Netskope’s Explicit Proxy. Explicit Proxy is a method for steering traffic from any device to the Netskope Cloud using a proxy server. There are two supported configurations for this use case: Endpoints can be configured to directly use the Netskope proxy by setting the proxy settings in the browser or the operating system to point to the explicit proxy destination provided by Netskope. Endpoints can be configured to use a Proxy Auto Configuration (PAC) file by downloading a PAC file template from Netskope and modifying it according to the customer’s needs. The PAC file can be hosted on-premises or on the cloud and distributed to the endpoints. The other options are not valid for this use case. Endpoints do not need separate steering configurations in the tenant settings, as they can use the same explicit proxy destination and port. Endpoints do not need to be configured in the device section of the tenant to interoperate with all proxies, as this is only required for reverse proxy mode. References: Explicit Proxy3, [Explicit Proxy over IPSec and GRE Tunnels]

To prevent a document stored in Google Drive from being shared externally with a public link, you need to configure an API Data Protection policy in Netskope. An API Data Protection policy allows you to discover, classify, and protect data that is already resident in your cloud services, such as Google Drive1. You can create a policy that matches the documents you want to protect based on criteria such as users, content, activity, or DLP profiles. Then, you can choose an action to prevent the documents from being shared externally, such as remove external collaborators, remove public links, or quarantine2. Therefore, option B is correct and the other options are incorrect. References: API Data Protection - Netskope Knowledge Portal, Add a Policy for API Data Protection - Netskope Knowledge Portal

You can use SCIM version 2 for user provisioning in this scenario. SCIM (System for Cross-domain Identity Management) is a standard protocol for exchanging identity information across different cloud applications. Netskope supports SCIM version 2 and can integrate with identity providers (IdPs) that follow the same standard, such as Microsoft Azure AD, Okta, OneLogin, and Ping Identity. You can use SCIM to provision users and groups from multiple Active Directory forests to a Netskope tenant. The other options are not valid for this scenario. The Netskope Adapter Tool and the Netskope virtual appliance are used for user identification, not provisioning. They can only connect to one Active Directory forest at a time. You do not need to migrate to Azure AD or Okta to provision users, as Netskope supports other IdPs that use SCIM as well. References: Provisioning Users for Netskope Client1, SCIM Integration2

To create a report to view the top five categories of unsanctioned applications accessed in the last 90 days, the security analyst would need to use two data collections in Advanced Analytics: Application Events and Network Events. Application Events provide information about the cloud applications and websites accessed by users, such as app name, app category, app risk score, app instance, app version, and more. Network Events provide information about the network traffic generated by users, such as source IP, destination IP, protocol, port, bytes sent, bytes received, and more. By combining these two data collections, the security analyst can filter the events by app category, app risk score, and time range to create a report that shows the top five categories of unsanctioned applications accessed in the last 90 days. Alerts and Page Events are not relevant for this report. Alerts provide information about the alerts triggered by Real-time Protection or API Data Protection policies, such as alert type, alert severity, alert status, alert description, and more. Page Events provide information about the web pages visited by users, such as page title, page URL, page category, page risk score, page content type, and more. References: Advanced Analytics

The correct practice is to place high-priority rules, such as those with specific scanning actions, at the top of the Real-time Protection policy rule list. Placing the rule at the top ensures it is applied before other less restrictive rules, like those configured only for browsing activities​​.

The method that would confirm the fail close status is B. Review the nsdebuglog.log. The nsdebuglog.log is a log file that contains information about the Netskope client’s status, configuration, events, errors, etc. You can review the nsdebuglog.log file to confirm the fail close status by looking for a line that says “failCloseStatus”:“1”. This indicates that the fail close option is enabled for the Netskope client4. The fail close option is a feature that allows you to block all web traffic when the Netskope client fails or loses connection to the Netskope cloud5. Therefore, option B is correct and the other options are incorrect. References: Troubleshooting Netskope Client - Netskope Knowledge Portal, Client Configuration - Netskope Knowledge Portal

The Netskope client can be disabled by the administrator from the Netskope console. This is useful for troubleshooting or maintenance purposes. When the client is disabled by the administrator, it shows the status as “Admin Disabled” and does not apply any policies or steer any traffic. The user cannot enable the client unless the administrator enables it from the console. The other options are not valid reasons for the client to be in an “Admin Disabled” state. References: Netskope Client Status 1, Enable or Disable Netskope Client 2

To disable inspection for all users accessing Microsoft 365, you need to create a Do Not Decrypt SSL policy for the Microsoft 365 App Suite. This policy will prevent Netskope from decrypting and analyzing the traffic for any Microsoft 365 app, regardless of the access method (Netskope client or GRE tunnel)3. This policy will also allow SNI-based policies to apply, but no deep analysis performed via Real-time Protection policies4. Therefore, option B is correct and the other options are incorrect. References: Add a Policy for SSL Decryption - Netskope Knowledge Portal, Default Microsoft appsuite SSL do not decrypt rule - Netskope Community

Netskope’s REST API v2 provides access to various event types via URI paths. The event types include application, alert, infrastructure, audit, incident, network, and page. These event types can be used to retrieve data from Netskope’s cloud security platform. The event types client and user are not supported by the REST API v2. References: REST API v2 Overview, Cribl Netskope Events and Alerts Integration, REST API Events and Alerts Response Descriptions

To prevent traffic from the sales team to a custom Web application from being inspected by Netskope, you need to create a Do Not Decrypt Policy using User Group and Domain in the policy page. A Do Not Decrypt Policy allows you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies3. You can use the User Group criteria to match the sales team members and the Domain criteria to match the custom Web application. This way, only the traffic from the sales team to the custom Web application will be exempted from decryption, while all other traffic to the Web application will continue to be inspected. 

There are two possible scenarios that would cause the behavior of files containing test data for credit cards not triggering DLP events when uploaded to Dropbox. One scenario is that the DLP rule has the severity threshold set to a value higher than the number of occurrences. This means that the rule will only trigger an event if the number of matches for the sensitive data exceeds the specified threshold. For example, if the rule has a severity threshold of 10 and the file contains only 5 credit card numbers, then no event will be generated. To fix this, you can lower the severity threshold or remove it altogether. The other scenario is that the credit card numbers in your test data are invalid 16-digit numbers. This means that the numbers do not pass the Luhn algorithm check, which is a validation method used by Netskope DLP to detect valid credit card numbers. For example, if the number is 1234-5678-9012-3456, then it is not a valid credit card number and will not be detected by Netskope DLP. To fix this, you can use valid test credit card numbers that pass the Luhn algorithm check. The other options are not valid scenarios for this behavior. The Netskope client is not steering Dropbox traffic is not a valid scenario because there are corresponding page events, which means that the traffic is being steered to Netskope. There is no API protection configured for Dropbox is not a valid scenario because API protection is not required for DLP detection on file uploads, which are handled by real-time protection. References: DLP Rule Settings1, Credit Card Number Detection2

In order to restrict users from logging into their personal Google accounts, the policy should include a user constraint. This will ensure that only users with corporate accounts can access the corporate collaboration suite. The user constraint can be added by selecting the “User” option in the “Source” field and then choosing the appropriate user group or identity provider. The other options are not relevant for this scenario. References: [Creating a Policy to Block Personal Google Services], [Policy Creation], [User Constraint]

To automate the process of updating Web policies without having to log into the Netskope tenant, you can use REST API to update the URL list. REST API is a feature that allows you to use an auth token to make authorized calls to the Netskope API and access resources via URI paths1. You can use REST API to update a URL list with new values by providing the name of an existing URL list and a comma-separated list of URLs or IP addresses2. This can help you automate or script the management of your URL lists and keep them up-to-date. Therefore, option D is correct and the other options are incorrect. References: REST API v2 Overview - Netskope Knowledge Portal, Update a URL List - Netskope Knowledge Portal

The problem in this scenario is that the traffic matched a Do Not Decrypt policy. A Do Not Decrypt policy is a rule that specifies the traffic that you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies1. In the exhibit, we can see that the traffic from the user to YouTube has a “Bypass Traffic” value of “yes” and a “Netskope” value of “yes”. This means that the traffic was steered to Netskope but not decrypted or inspected2. Therefore, the real-time policy that was created to restrict users from accessing YouTube content tagged as Sport did not apply, and users could still access the content. To solve this problem, you need to either remove or modify the Do Not Decrypt policy that matches the traffic to YouTube, or create an exception for the Sport category in the policy3. Therefore, option D is correct and the other options are incorrect. References: Page Events - Netskope Knowledge Portal, Add a Policy for SSL Decryption - Netskope Knowledge Portal, YouTube Content Control - Netskope Knowledge Portal

GRE tunnels are the optimal choice in this scenario. GRE is a commonly used, non-encrypted tunneling protocol that supports a variety of device operating systems, and it offers efficient bandwidth usage without encryption overhead, which aligns with the company’s requirements​​.

To deploy Netskope using proxy chaining with Symantec BlueCoat proxy on-premises, you need to enable two prerequisites first: Enable SSL decryption on your Symantec BlueCoat proxy. This is required for proxy chaining because Netskope needs to inspect the SSL traffic that is sent from your proxy to the Netskope cloud. To enable SSL decryption, you need to configure your Symantec BlueCoat proxy to trust the Netskope certificate for SSL interception. You can download the certificate from Settings > Manage > Certificates > Signing CA in the Netskope UI. Enable the X-Forwarded-For HTTP header on your Symantec BlueCoat proxy. This is required for proxy chaining because Netskope needs to identify the original source IP address of the user behind your proxy. The X-Forwarded-For header is used to pass this information from your proxy to Netskope. To enable this header, you need to configure your Symantec BlueCoat proxy to send X-Forwarded-For HTTP header for all HTTP requests. The other options are not valid prerequisites for this scenario. You do not need to disable SSL decryption on your Symantec BlueCoat proxy, as this would prevent Netskope from inspecting the SSL traffic. You do not need to disable the X-Authenticated-User header on your Symantec BlueCoat proxy, as this is an optional header that can be used to pass additional user information from your proxy to Netskope. References: Proxy Chaining3, Configure Forcepoint for Proxy Chaining

To ensure user privacy in the Events and Reports view, obfuscate sensitive information like User IPs, User names, and Source location information. This helps protect identities and prevent location tracking of users while allowing visibility into activity details​​.

A reverse proxy integrated with their SSO would satisfy the requirements for this scenario. A reverse proxy intercepts requests from users to cloud apps and applies policies based on user identity, device posture, app, and data context. It can enforce DLP controls to prohibit downloading sensitive files to unmanaged devices. It can also integrate with the customer’s SSO provider to authenticate users and allow access only to the corporate instance of OneDrive. The other steering methods are not suitable for this scenario because they either require the Netskope client or do not provide granular control over cloud app activities.

The statement that is correct in this scenario is D. Credit card numbers are entered with a space or dash separator and not as a 16-digit consecutive number. This is one of the possible reasons why valid credit card numbers in a file are not triggering a policy violation by Netskope DLP. Netskope DLP uses data identifiers to detect sensitive data in files and network traffic. Data identifiers are predefined or custom rules that match data patterns based on regular expressions, checksums, keywords, etc1. The credit card number data identifier matches 16-digit consecutive numbers that pass the Luhn algorithm check2. If the credit card numbers are entered with a space or dash separator, such as 1234-5678-9012-3456 or 1234 5678 9012 3456, they will not match the data identifier and will not trigger a policy violation. To solve this problem, you can either remove the separators from the credit card numbers or create a custom data identifier that matches the credit card numbers with separators3. Therefore, option D is correct and the other options are incorrect. References: Data Identifiers - Netskope Knowledge Portal, Credit Card Number - Netskope Knowledge Portal, Create a Custom Data Identifier - Netskope Knowledge Portal

Integrating with EDR vendors like Crowdstrike requires an API Client ID for authentication and data sharing. A remediation profile is also necessary to define automated actions that can be taken when threats are detected, ensuring effective response to endpoint threats​​.

Three methods to deploy a Netskope client are A. Deploy Netskope client using SCCM, C. Deploy Netskope client using email invite, and E. Deploy Netskope client using IdP. These are some of the methods that Netskope supports for packaging and installing the Netskope client on the user’s device1. SCCM is a Microsoft tool that allows you to push the Netskope client silently to the user’s device without requiring user intervention or local admin privileges2. Email invite is a method that sends an email to the user with a unique link to download and install the Netskope client. This method is quick and easy, but requires the user to initiate the installation and have local admin privileges3. IdP is a method that uses an identity provider (such as Azure AD or Okta) to authenticate the user and enroll the Netskope client. This method requires the UPN of the logged in user to match the directory, or use SAML/SSO as an alternative4. Therefore, options A, C, and E are correct and the other options are incorrect. References: Deploy the Netskope Client - Netskope Knowledge Portal, Deploying with Microsoft Endpoint Configuration Manager / SCCM - Netskope Knowledge Portal, Deploying with Email Invite - Netskope Knowledge Portal, Deploying with IdP - Netskope Knowledge Portal