NSK200 Sample Questions Answers

To allow both the user identities and groups to be imported in the Netskope platform, you can use either the System for Cross-domain Identity Management (SCIM) method or the Bulk Upload with a CSV file method. Both of these methods allow for the import of user identities and groups from different identity providers (IdPs) that support SCIM or CSV formats. The SCIM method is recommended for large-scale deployments, as it automates the exchange of user identity information across apps for user provisioning. The CSV method is recommended for small-scale deployments, as it allows for manual upload of user details in a comma-separated values file. The other methods are not suitable for this requirement. The Manual Entries method does not allow for the import of groups, only user emails. The Directory Importer method does not import users and groups directly into the Netskope platform, but rather connects to an Active Directory or LDAP server and periodically fetches user and group information.

References: Provisioning Users for Netskope Client2, SCIM Integration3, Bulk Upload via CSV file

The default Netskope tenant steering configuration blocks untrusted root certificates and self-signed server certificates. These settings are intended to prevent man-in-the-middle attacks and ensure the validity of the SSL connection. However, they also prevent the access to the development Web server that uses self-signed SSL certificates. To allow access to the Web server, the settings need to be changed or an exception needs to be added for the Web server domain.

To create an API token to allow a DevSecOps engineer to create and update a URL list using REST API v2, you need to provide read and write access for the “/urllist” endpoint. The “/urllist” endpoint is the API endpoint that allows you to manage URL lists in your Netskope tenant. You can use this endpoint to perform operations such as create, update, delete, or list URL lists3. To create an API token with this privilege, you need to go to Settings > Tools > REST API v2 > New Token, enter a token name and expiration time, add the “/urllist” endpoint, and select Read+Write as the privilege4. This will allow the DevSecOps engineer to use the API token in their requests to create and update URL lists. Therefore, option B is correct and the other options are incorrect. References: REST API v2 Overview - Netskope Knowledge Portal, Manage URL Lists - Netskope Knowledge Portal

To identify and monitor the specific forms used by the city and block the employees from downloading completed forms, you need to use document fingerprinting. Document fingerprinting is a feature that allows you to create a unique signature for a document based on its content and structure. You can then use this signature to match other documents that are similar or identical to the original document3. You can create a document fingerprinting profile in Netskope by uploading a sample document or selecting one from your cloud services4. You can then use this profile in your data protection policies to apply actions such as block, alert, or quarantine to the documents that match the fingerprint5. Therefore, option C is correct and the other options are incorrect. References: Document Fingerprinting - Netskope Knowledge Portal, Create a Document Fingerprinting Profile - Netskope Knowledge Portal, Add a Policy for Data Protection - Netskope Knowledge Portal

To continuously detect and enforce compliance standards for their Microsoft 365 and Azure applications, the customer needs to use Netskope SaaS Security Posture Management (SSPM) and Netskope Continuous Security Assessment (CSA). Netskope SSPM allows the customer to monitor, assess, and act on security, permission, and access related issues in their SaaS environment, such as Microsoft 365. Netskope SSPM continuously checks security posture by comparing SaaS app settings with security policies and industry benchmarks (CIS, PCI-DSS, NIST, HIPAA, CSA, GDPR, AIPCA, ISO, and more). It also provides visibility and control over third-party apps that are connected to the managed apps1. Netskope CSA allows the customer to discover, audit, and remediate misconfigurations in their IaaS environment, such as Azure. Netskope CSA continuously monitors and audits cloud configurations against industry standards, CIS benchmarks, and regulatory frameworks. It also provides real-time inline protection to secure public clouds from threats and data loss2. Therefore, options A and D are correct and the other options are incorrect. References: SaaS Security Posture Management - Netskope, Public Cloud Security Solutions - Netskope

To implement role-based access control when integrating Netskope tenant administration with an external identity provider (IdP), two statements that are true about this scenario are A. The roles you want to assign must be present in the Netskope tenant and C. You need to define the administrators locally in the Netskope tenant. Role-based access control (RBAC) is a feature that allows you to assign different levels of permissions and access to the Netskope tenant based on the user’s role. You can use RBAC to integrate Netskope tenant administration with an external IdP such as Azure AD or Okta and delegate administrative tasks to different users or groups1. To do this, you need to ensure that the roles you want to assign are present in the Netskope tenant. You can use the predefined roles such as SYSADMIN, AUDITOR, or OPERATOR, or create custom roles with specific privileges2. You also need to define the administrators locally in the Netskope tenant by creating local user accounts and assigning them roles. You can use the same email address as the IdP user account for the local useraccount3. Therefore, options A and C are correct and the other options are incorrect. References: Role-Based Access Control - Netskope Knowledge Portal, Roles - Netskope Knowledge Portal, Integrate with Azure AD - Netskope Knowledge Portal

Two reasons for the message “Disabled due to error” when hovering the mouse over the Netskope client icon are A. The client service is manually stopped and C. The client health check has failed. The client service is a background process that runs the Netskope client on the user’s device and communicates with the Netskope cloud. If the client service is manually stopped by the user or by another program, the Netskope client will be disabled and show a red dot on the icon1. The client health check is a feature that monitors the status of the Netskope client and performs self-repair actions if any issues are detected. If the client health check has failed, it means that the Netskope client has encountered a critical error that cannot be fixed automatically, such as corrupted files or registry entries. In this case, the Netskope client will be disabled and show a red dot on the icon2. Therefore, options A and C are correct and the other options are incorrect. References: Troubleshooting Netskope Client - Netskope Knowledge Portal, Client Health Check - Netskope Knowledge Portal

The problem in this scenario is that the Netskope client connection is being decrypted by a network security device. This is evident from the log message “ERROR SSL certificate verification failed: self signed certificate in certificate chain”. This means that the Netskope client is receiving a certificate that is not issued by Netskope, but by a device that is intercepting and decrypting the traffic between the client and the Netskope cloud. This can cause the client to fail to download the required configuration and remain in a disabled state1. Therefore, option B is correct and the other options are incorrect. References: Troubleshooting Netskope Client - Netskope Knowledge Portal, Using Netskope Client - Netskope Knowledge Portal

To enable your users access to the application using NPA, you need to complete these two steps: B. Enable traffic steering for private applications and C. Create a Real-time Protection policy that allows your users to access the application. Traffic steering is the process of directing the user’s traffic to the Netskope cloud platform for inspection and policy enforcement. You need to enable traffic steering for private applications in your traffic steering profile to allow the Netskope client to tunnel the traffic to the private application through the Netskope cloud1. A Real-time Protection policy is a rule that specifies the actions and notifications that Netskope applies to the user’s traffic based on various criteria. You need to create a Real-time Protection policy that allows your users to access the private application by selecting the application name, the user group, and the allow action in the policy page2.Therefore, options B and C are correct and the other options are incorrect. References: Traffic Steering Profile - Netskope Knowledge Portal, Add a Policy for Real-time Protection - Netskope Knowledge Portal

The problem in this scenario is that the traffic matched a Do Not Decrypt policy. A Do Not Decrypt policy is a rule that specifies the traffic that you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies1. In the exhibit, we can see that the traffic from the user to YouTube has a “Bypass Traffic” value of “yes” and a “Netskope” value of “yes”. This means that the traffic was steered to Netskope but not decrypted or inspected2. Therefore, the real-time policy that was created to restrict users from accessing YouTube content tagged as Sport did not apply, and users could still access the content. To solve this problem, you need to either remove or modify the Do Not Decrypt policy that matches the traffic to YouTube, or create an exception for the Sport category in the policy3. Therefore, option D is correct and the other options are incorrect. References: Page Events - Netskope Knowledge Portal, Add a Policy for SSL Decryption - Netskope Knowledge Portal, YouTube Content Control - Netskope Knowledge Portal

You can use SCIM version 2 for user provisioning in this scenario. SCIM (System for Cross-domain Identity Management) is a standard protocol for exchanging identity information across different cloud applications. Netskope supports SCIM version 2 and can integrate with identity providers (IdPs) that follow the same standard, such as Microsoft Azure AD, Okta, OneLogin, and Ping Identity. You can use SCIM to provision users and groups from multiple Active Directory forests to a Netskope tenant. The other options are not valid for this scenario. The Netskope Adapter Tool and the Netskope virtual appliance are used for user identification, not provisioning. They can only connect to one Active Directory forest at a time. You do not need to migrate to Azure AD or Okta to provision users, as Netskope supports other IdPs that use SCIM as well. References: Provisioning Users for Netskope Client1, SCIM Integration2

The statement that describes how Netskope’s REST API, v1 and v2, handles authentication is A. Both REST API v1 and v2 require the use of tokens to make calls to the API. A token is a unique string that identifies the user or application that is making the API request. The token must be included in the HTTP header of every API call as an authorization parameter1. The token can be generated from the Netskope UI or from the Netskope Platform API2. The token can also be revoked or refreshed as needed3. Therefore, option A is correct and the other options are incorrect. References: REST API v1 Overview - Netskope Knowledge Portal, Netskope PlatformAPI Endpoints for REST API v1 - Netskope Knowledge Portal, REST API v2 Overview - Netskope Knowledge Portal

The method that makes it possible for a mass update of the URL list in the Netskope platform is A. REST API v2. REST API v2 is a feature that allows you to use an auth token to make authorized calls to the Netskope API and access resources via URI paths5. You can use REST API v2 to update a URL list with new values by providing the name of an existing URL list and a comma-separated list of URLs or IP addresses6. This can help you automate or script the management of your URL lists and keep them up-to-date. Therefore, option A is correct and the other options are incorrect. References: REST API v2 Overview - Netskope Knowledge Portal, Update a URL List - Netskope Knowledge Portal

To prevent PCI data from leaving the corporate sanctioned OneDrive instance, the customer can use API Data Protection and Real-time Protection. API Data Protection is a feature that allows you to discover, classify, and protect data that is already resident in your cloud services, such as OneDrive. You can create a policy that matches the PCI data based on criteria such as users, content, activity, or DLP profiles. Then, you can choose an action to prevent the PCI data from being shared or exfiltrated, such as remove external collaborators, remove public links, or quarantine3. Real-time Protection is a feature that allows you to inspect and control data in transit between your users and cloud services, such as OneDrive. You can create a policy that matches the PCI data based on criteria such as users, devices, locations, categories, or DLP profiles. Then, you can choose an action to prevent the PCI data from being uploaded or downloaded, such as block, alert, encrypt, or watermark4. Therefore, options A and D are correct and the other options are incorrect. References: API Data Protection - Netskope Knowledge Portal, Real-time Protection - Netskope Knowledge Portal

The statement that is correct in this scenario is D. Credit card numbers are entered with a space or dash separator and not as a 16-digit consecutive number. This is one of the possible reasons why valid credit card numbers in a file are not triggering a policy violation by Netskope DLP. Netskope DLP uses data identifiers to detect sensitive data in files and network traffic. Data identifiers are predefined or custom rules that match data patterns based on regular expressions, checksums, keywords, etc1. The credit card number data identifier matches 16-digit consecutive numbers that pass the Luhn algorithm check2. If the credit card numbers are entered with a space or dash separator, such as 1234-5678-9012-3456 or 1234 5678 9012 3456, they will not match the data identifier and will not trigger a policy violation. To solve this problem, you can either remove the separators from the credit card numbers or create a custom data identifier that matches the credit card numbers with separators3. Therefore, option D is correct and the other options are incorrect. References: Data Identifiers - Netskope Knowledge Portal, Credit Card Number - Netskope Knowledge Portal, Create a Custom Data Identifier - Netskope Knowledge Portal