Pre-Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Netskope > NCCSA > NSK300

NSK300 Netskope Certified Cloud Security Architect Exam Question and Answers

Question # 4

You are responsible for data security at a large hospital. You need to protect patient personal data including patient ID numbers, e-mail addresses, billing addresses, and credit card numbers that are stored in your database. You want to reduce false positives because you have limited resources for incident response. Which Netskope DLP capability would you use in this scenario?

A.

Use the predefined DLP AMRA profile.

B.

Use the predefined DLP HIPAA profile.

C.

Choose Medical Classifiers in a custom DLP profile.

D.

Create a custom Exact Match rule in a custom DLP profile.

Full Access
Question # 5

Review the exhibit.

You work for a medical insurance provider. You have Netskope Next Gen Secure Web Gateway deployed to all managed user devices with limited block policies. Your manager asks that you begin blocking Cloud Storage applications that are not HIPAA compliant Prior to implementing this policy, you want to verify that no business or departmental applications would be blocked by this policy.

Referring to the exhibit, which query would you use in the Edit Widget window to narrow down the results?

A.

app-ccl-compliance-cert neq ' HIPAA ' and category eq ' Cloud Storage '

B.

Cloud Confidence Compliance neq HIPAA and Cloud Confidence Category is Cloud Storage

C.

SELECT application WHERE ' HIPAA ' NOT IN app-cci-compliance AND WHERE ' Cloud Storage ' IN category

D.

app-compliance does not contain HIPAA and category must equal Cloud Storage

Full Access
Question # 6

Review the exhibit.

MismatchCert (Hostname mismatch) Blocked by SSL_HOST_MISMATCH. The destination is not reachable. Contact your IT administrator with the following error.

A Netskope user reports receiving an error when trying to reach an application hosted by a trusted partner. Referring to the exhibit, what are two ways to solve this problem? (Choose two.)

A.

Configure the Netskope tenant to Bypass Self Signed Server Certificate errors.

B.

Add the trusted partner’s signing certificate to the local machine.

C.

Create an SSL Decrypt rule to bypass the destination website.

D.

Configure the Netskope tenant to Bypass Host MisMatch errors.

Full Access
Question # 7

You are using Netskope CSPM for security and compliance audits across your multi-cloud environments. To decrease the load on the security operations team, you are researching how to auto-re mediate some of the security violations found in low-risk environments.

Which statement is correct in this scenario?

A.

Netskope does not support automatic remediation of security violation results due to the high risk associated with it.

B.

You can use Netskope API-enabled Protection for auto-remediation of security violation results.

C.

You can use Netskope Auto-remediation frameworks from the public Netskope GitHub Open Source repository for auto-re mediation of security violation results.

D.

You can use Netskope Cloud Exchange for auto-remediation of security violation results.

Full Access
Question # 8

You are deploying the Netskope Client to Windows devices. The following command line would be used to install the client MSI file:

In this scenario, what is < token > referring to in the command line?

A.

a Netskope user identifier

B.

the Netskope organization ID

C.

the URL of the IdP used to authenticate the users

D.

a private token given to you by the SCCM administrator

Full Access
Question # 9

Your Netskope Client tunnel has connected to Netskope; however, the user is not receiving any steering or client configuration updates What would cause this issue?

A.

The client is unable to establish communication to add-on-[tenant].goskope.com.

B.

The client is unable to establish communication to gateway-[tenant].goskope.com.

C.

The Netskope Client service is not running.

D.

An invalid steering exception was created in the tenant

Full Access
Question # 10

You want to enable the Netskope Client to automatically determine whether it is on-premises or off-premises. Which two options in the Netskope UI would you use to accomplish this task? (Choose two.)

A.

the All Traffic option in the Steering Configuration section of the Ul

B.

the New Exception option in the Traffic Steering options of the Ul

C.

the Enable Dynamic Steering option in the Steering Configuration section of the Ul

D.

the On Premises Detection option under the Client Configuration section of the Ul

Full Access
Question # 11

You are asked to create a Quarantine repository in your Netskope tenant. Which statement is correct in this scenario?

A.

A Forensic profile must exist to restore a false positive.

B.

Encryption must be configured within the Quarantine profile.

C.

A customer-provided Tombstone file must be uploaded to the tenant.

D.

A Quarantine Instance type must exist for a supported SaaS application.

Full Access
Question # 12

You have an NG-SWG customer that currently steers all Web traffic to Netskope using the Netskope Client. They have identified one new native application on Windows devices that is a certificate-pinned application. Users are not able to access the application due to certificate pinning. The customer wants to configure the Netskope Client so that the traffic from the application is steered to Netskope and the application works as expected.

Which two methods would satisfy the requirements? (Choose two.)

A.

Bypass traffic using the bypass action in the Real-time Protection policy.

B.

Configure the SSL Do Not Decrypt policy to not decrypt traffic for domains used by the native application.

C.

Configure domain exceptions in the steering configuration for the domains used by the native application.

D.

Tunnel traffic to Netskope and bypass traffic inspection at the Netskope proxy.

Full Access
Question # 13

What is a Fast Scan component of Netskope Threat Detection?

A.

Heuristic Analysis

B.

Machine Learning

C.

Dynamic Analysis

D.

Statical Analysis

Full Access
Question # 14

You need to monitor the health of configured IPsec or GRE tunnels.

In this scenario, which two methods are supported by Netskope to accomplish this task? (Choose two.)

A.

Use Layer 4 health checks.

B.

Use Dead Peer Detection.

C.

Use ICMP keepalive probing.

D.

Use Netskope Trust Portal.

Full Access
Question # 15

You want to verify that Google Drive is being tunneled to Netskope by looking in the nsdebuglog file. You are using Chrome and the Netskope Client to steer traffic. In this scenario, what would you expect to see in the log file?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 16

Review the exhibit.

You installed Directory Importer and configured it to import specific groups ot users into your Netskope tenant as shown in the exhibit. One hour after a new user has been added to the domain, the user still has not been provisioned to Netskope.

What are three potential reasons for this failure? (Choose three.)

A.

Directory Importer does not support ongoing user syncs; you must manually provision the user.

B.

The server that the Directory Importer is installed on is unable to reach Netskope ' s add-on endpoint.

C.

The user is not a member of the group specified as a filter

D.

Active Directory integration is not enabled on your tenant.

E.

The default collection interval is 180 minutes, therefore a sync may not have run yet.

Full Access
Question # 17

Your customer is currently using Directory Importer with Active Directory (AD) to provision users to Nelskope. They have recently acquired three new companies (A. B. and C) and want to onboard users from the companies onto the Netskope platform. Information about the companies is shown below.

- Company A uses Active Directory.

-- Company B uses Azure AD.

-- Company C uses Okta Universal Directory.

Which statement is correct in this scenario?

A.

Users from Company B and Company C cannot be provisioned because the customer is already using AD Importer.

B.

Either Company B or Company C users cannot be provisioned because integration with only one SCIM solution is allowed.

C.

Users from Companies A. B, and C can be provisioned to Netskope by deploying additional AD Importers and integrating more than one SCIM solution.

D.

Company A users cannot be provisioned to Netskope because the customer is already using AD Importer to import users from another Active Directory environment.

Full Access
Question # 18

You want to integrate with a third-party DLP engine that requires ICAP. In this scenario, which Netskope platform component must be configured?

A.

On-Premises Log Parser (OPLP)

B.

Secure Forwarder

C.

Netskope Cloud Exchange

D.

Netskope Adapter

Full Access
Question # 19

You built a number of DLP profiles for different sensitive data types. If a file contains any of this sensitive data, you want to take the most restrictive policy action but also create incident details for all matching profiles.

Which statement is correct in this scenario?

A.

Create a Real-time Protection policy for each DLP profile; each matched profile will generate a unique DLP incident.

B.

Create a Real-time Protection policy for each DLP profile; all matched profiles will show up in a single DLP incident

C.

Create a single Real-time Protection policy and include all of the DLP profiles; each matched profile will generate a unique DLP incident

D.

Create a single Real-time Protection policy and include all of the DLP profiles; all matched profiles will show up in a single DLP incident.

Full Access
Question # 20

Users in your network are attempting to reach a website that has a self-signed certificate using a GRE tunnel to Netskope. They are currently being blocked by Netskope with an SSL error. How would you allow this traffic?

A.

Configure a Do Not Decrypt SSL Decryption rule to allow traffic to pass.

B.

Configure a Real-time Protection policy with the action set to Allow.

C.

Set the No SNI setting in Netskope to Bypass.

D.

Ensure that the users add the self-signed certificate to their local certificate store.

Full Access
Question # 21

You receive a report from your endpoint team that a device may no longer be running the Netskope Client. You only know the hostname of the machine in question. You want to remotely verify whether the client is still installed and steering traffic and which user is assigned to the device. In this scenario, how would you accomplish this task?

A.

Enable IP restrictions for a sanctioned application and see if any users report an access problem.

B.

Under Skope IT Users, look at the Users Over Time graph for any anomalies.

C.

Under the Netskope Client Devices page, search for the hostname in question and identify the current Client Status and User information.

D.

Under Skope IT Applications Events, query by hostname and determine the last event date and time.

Full Access
Question # 22

A company wants to capture and maintain sensitive PII data in a relational database to help their customers. There are many employees and contractors that need access to sensitive customer data to perform their duties The company wants to prevent the exfiltration of sensitive customer data by their employees and contractors.

In this scenario. what would satisfy this requirement?

A.

fingerprinting

B.

exact data match

C.

regular expression

D.

machine learning

Full Access
Question # 23

You are asked to create a customized restricted administrator role in your Netskope tenant for a newly hired employee. Which two statements are correct in this scenario? (Choose two.)

A.

An admin role prevents admins from downloading and viewing file content by default.

B.

The scope of the data shown in the UI can be restricted to specific events.

C.

All role privileges default to Read Only for all functional areas.

D.

Obfuscation can be applied to all functional areas.

Full Access
Question # 24

Review the exhibit.

AcmeCorp has recently begun using Microsoft 365. The organization is concerned that employees will start using third-party non-AcmeCorp OneDrive instances to store company data. The CISO asks you to use Netskope to create a policy that ensures that no data is being uploaded to non-AcmeCorp instances of OneDrive.

Referring to the exhibit, which two policies would accomplish this posture? (Choose two.)

A.

4

B.

3

C.

2

D.

1

Full Access