Netskope NSK200 NCCSI Exam Practice Test Instant Access

Question 1

You want to provision users and groups to a Netskope tenant. You have Microsoft Active Directory servers hosted in two different forests. Which statement is true about this scenario?

AYou can use the Netskope Adapter Tool for user provisioning.

BYou can use the Netskope virtual appliance for user provisioning

CYou cannot provision users until you migrate to Azure AD or Okta.

DYou can use SCIM version 2 for user provisioning.

Answer : D

You can use SCIM version 2 for user provisioning in this scenario. SCIM (System for Cross-domain Identity Management) is a standard protocol for exchanging identity information across different cloud applications. Netskope supports SCIM version 2 and can integrate with identity providers (IdPs) that follow the same standard, such as Microsoft Azure AD, Okta, OneLogin, and Ping Identity. You can use SCIM to provision users and groups from multiple Active Directory forests to a Netskope tenant. The other options are not valid for this scenario. The Netskope Adapter Tool and the Netskope virtual appliance are used for user identification, not provisioning. They can only connect to one Active Directory forest at a time.You do not need to migrate to Azure AD or Okta to provision users, as Netskope supports other IdPs that use SCIM as well.Reference:Provisioning Users for Netskope Client1,SCIM Integration2

Question 2

Review the exhibit.

You are troubleshooting a Netskope client for user Clarke which remains in a disabled state after being installed. After looking at various logs, you notice something which might explain the problem. The exhibit is an excerpt from the nsADImporterLog.log.

Referring to the exhibit, what is the problem?

AThe client was not Installed with administrative privileges.

BThe Active Directory user is not synchronized to the Netskope tenant.

CThis is normal; it might take up to an hour to be enabled.

DThe client traffic is decrypted by a network security device.

Answer : B

The problem is B. The Active Directory user is not synchronized to the Netskope tenant. This is evident from the log message ''WARNING No mail ID for the user: Clarke, Daxmeifield, DC=local, skipping use''. This means that the user Clarke does not have a valid email address in the Active Directory, which is required for the Netskope client to work. The Netskope client uses the email address of the user to authenticate and enable the client. Therefore, option B is correct and the other options are incorrect.

Question 3

Review the exhibit.

add log-upload syslogng parserconfig set log-upload syslogng parserconfig 0

logsource

You are asked to deploy a virtual appliance OPLP to accept syslog messages directly from the enterprise Palo Alto Networks firewall. You believe that you have configured the OPLP to accept the firewall logs, yet they are not appearing in Risk Insights. Referring to the exhibit, which parser name would be required to complete the new configuration?

Apanw-syslog

Bsfwder

Ccustom-csv

Dsquid

Answer : A

The correct parser name to process syslog messages from Palo Alto Networks firewalls is 'panw-syslog.' Using the appropriate parser ensures that the logs are correctly interpreted and ingested by Netskope, making them available in Risk Insights.

Question 4

Your customer currently only allows users to access the corporate instance of OneDrive using SSO with the Netskope client. The users are not permitted to take their laptops when vacationing, but sometimes they must have access to documents on OneDrive when there is an urgent request. The customer wants to allow employees to remotely access OneDrive from unmanaged devices while enforcing DLP controls to prohibit downloading sensitive files to unmanaged devices.

Which steering method would satisfy the requirements for this scenario?

AUse a reverse proxy integrated with their SSO.

BUse proxy chaining with their cloud service providers integrated with their SSO.

CUse a forward proxy integrated with their SSO.

DUse a secure forwarder integrated with an on-premises proxy.

Answer : A

A reverse proxy integrated with their SSO would satisfy the requirements for this scenario. A reverse proxy intercepts requests from users to cloud apps and applies policies based on user identity, device posture, app, and data context. It can enforce DLP controls to prohibit downloading sensitive files to unmanaged devices. It can also integrate with the customer's SSO provider to authenticate users and allow access only to the corporate instance of OneDrive. The other steering methods are not suitable for this scenario because they either require the Netskope client or do not provide granular control over cloud app activities.

Question 5

You use Netskope to provide a default Malware Scan profile for use with your malware policies. Also, you want to create a custom malware detection profile.

In this scenario, what are two additional requirements to complete this task? (Choose two.)

AAdd a custom hash list as an allowlist.

BAdd a quarantine profile.

CAdd a remediation profile.

DAdd a custom hash list as a blocklist.

Answer : B, D

To create a custom malware detection profile, adding a quarantine profile ensures that detected threats are appropriately isolated. Additionally, a custom hash list as a blocklist allows you to block specific known malware hashes, further enhancing the customization of the malware detection profile.

Question 6

Which object would be selected when creating a Malware Detection profile?

ADLP profile

BFile profile

CDomain profile

DUser profile

Answer : B

A file profile is an object that contains a list of file hashes that can be used to create a malware detection profile. A file profile can be configured as an allowlist or a blocklist, depending on whether the files are known to be benign or malicious.A file profile can be created in the Settings > File Profile page1. A malware detection profile is a set of rules that define how Netskope handles malware incidents.A malware detection profile can be created in the Policies > Threat Protection > Malware Detection Profiles page2. To create a malware detection profile, one needs to select a file profile as an allowlist or a blocklist, along with the Netskope malware scan option. The other options are not objects that can be selected when creating a malware detection profile.

Question 7

The risk team at your company has determined that traffic from the sales team to a custom Web application should not be inspected by Netskope. All other traffic to the Web application should continue to be inspected. In this scenario, how would you accomplish this task?

ACreate a Do Not Decrypt Policy using User Group and Domain in the policy page.

BCreate a Do Not Decrypt Policy using Application in the policy page and a Steering Exception for Group

CCreate a Do Not Decrypt Policy using Destination IP and Application in the policy page.

DCreate a Do Not Decrypt Policy using Source IP and Application in the policy page.

Answer : A

To prevent traffic from the sales team to a custom Web application from being inspected by Netskope, you need to create a Do Not Decrypt Policy using User Group and Domain in the policy page.A Do Not Decrypt Policy allows you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies3. You can use the User Group criteria to match the sales team members and the Domain criteria to match the custom Web application. This way, only the traffic from the sales team to the custom Web application will be exempted from decryption, while all other traffic to the Web application will continue to be inspected.

Netskope Certified Cloud Security Integrator NSK200 NCCSI Exam Practice Test