To provision Netskope users from Okta with SCIM Provisioning, and users are not showing up in the tenant, the two Netskope components that you should verify first in Okta for accuracy are B. OAuth token and D. SCIM server URL. The OAuth token is a credential that allows Okta to authenticate with the Netskope SCIM server and perform user provisioning operations4. The SCIM server URL is the endpoint that Okta uses to communicate with the Netskope SCIM server and send user data5. Both of these components must be configured correctly in Okta for the SCIM Provisioning to work. You can find them in the Netskope UI under Settings > Tools > Directory Tools > SCIM Integration6. Therefore, options B and D are correct and the other options are incorrect. References: SCIM-Based User Provisioning - Netskope Knowledge Portal, Netskope + Okta Use Case: Provisioning Users and Managing Groups Using SCIM - Netskope, Netskope Partner Okta - Netskope

Three methods to deploy a Netskope client are A. Deploy Netskope client using SCCM, C. Deploy Netskope client using email invite, and E. Deploy Netskope client using IdP. These are some of the methods that Netskope supports for packaging and installing the Netskope client on the user’s device1. SCCM is a Microsoft tool that allows you to push the Netskope client silently to the user’s device without requiring user intervention or local admin privileges2. Email invite is a method that sends an email to the user with a unique link to download and install the Netskope client. This method is quick and easy, but requires the user to initiate the installation and have local admin privileges3. IdP is a method that uses an identity provider (such as Azure AD or Okta) to authenticate the user and enroll the Netskope client. This method requires the UPN of the logged in user to match the directory, or use SAML/SSO as an alternative4. Therefore, options A, C, and E are correct and the other options are incorrect. References: Deploy the Netskope Client - Netskope Knowledge Portal, Deploying with Microsoft Endpoint Configuration Manager / SCCM - Netskope Knowledge Portal, Deploying with Email Invite - Netskope Knowledge Portal, Deploying with IdP - Netskope Knowledge Portal

To investigate which of the Netskope DLP policies are creating the most incidents, the following two statements are true:

You can see the top five DLP policies triggered using the Analyze feature. The Analyze feature allows you to create custom dashboards and widgets to visualize and explore your data. You can use the DLP Policy widget to see the top five DLP policies that generated the most incidents in a given time period3.

You can create a report using Reporting or Advanced Analytics. The Reporting feature allows you to create scheduled or ad-hoc reports based on predefined templates or custom queries. You can use the DLP Incidents by Policy template to generate a report that shows the number of incidents per DLP policy4. The Advanced Analytics feature allows you to run SQL queries on your data and export the results as CSV or JSON files. You can use the DLP_INCIDENTS table to query the data by policy name and incident count5.

The other two statements are not true because:

The Skope IT Applications tab will not list the top five DLP policies. The Skope IT Applications tab shows the cloud app usage and risk summary for your organization. It does not show any information about DLP policies or incidents6.

The Skope IT Alerts tab will not list the top five DLP policies. The Skope IT Alerts tab shows the alerts generated by various policies and profiles, such as DLP, threat protection, IPS, etc. It does not show the number of incidents per policy, only the number of alerts per incident7.

To deploy Netskope using IPSec tunnels for security in this scenario, two considerations to make a successful connection are C. redundant POPs and D. number of hosts. Redundant POPs are Points of Presence that are geographically distributed data centers that host the Netskope cloud platform. You need to consider redundant POPs to ensure high availability and resiliency of your IPSec tunnels in case of a failure or outage in one of the POPs. You can configure multiple IPSec tunnels from your network to different POPs and use dynamic routing protocols such as BGP to load balance and failover the traffic1. Number of hosts is the number of devices or endpoints that will use the IPSec tunnels to access the cloud services. You need to consider the number of hosts to estimate the bandwidth and throughput requirements of your IPSec tunnels and choose the appropriate POPs that can handle the traffic volume. You can use the Netskope Bandwidth Calculator tool to estimate the bandwidth and throughput based on the number of hosts, locations, and cloud services2. Therefore, options C and D are correct and the other options are incorrect. References: IPSec - Netskope Knowledge Portal, Netskope Bandwidth Calculator

Adding a Skope IT query to a custom watchlist allows the query to be saved and easily accessed. Saving the watchlist and managing filters also lets you customize it further and share it with others in your organization if needed​​.

To help the customer with the scenario of malware in their AWS S3 buckets, two actions that would help are B. Enable Threat Protection (Malware Scan) for all of their AWS instances to identify malware and C. Create an API protection policy to quarantine malware in their AWS S3 buckets. Threat Protection (Malware Scan) is a feature that allows you to scan files in your cloud services, such as AWS S3, for malware using Netskope’s advanced threat protection engine. You can enable Threat Protection (Malware Scan) for all of your AWS instances in the Netskope tenant by going to Settings > Cloud Services > AWS > Threat Protection and selecting the Enable Malware Scan option1. This will help you identify malware in your AWS S3 buckets and generate alerts for further action. An API protection policy is a rule that specifies the actions and notifications that Netskope applies to the data that is already resident in your cloud services, such as AWS S3, based on various criteria. You can create an API protection policy to quarantine malware in your AWS S3 buckets by going to Policies > API Protection > New Policy and selecting the AWS service, the Malware Scan data identifier, and the Quarantine action in the policy page2. This will help you isolate malware in your AWS S3 buckets and prevent it from spreading or being accessed by unauthorized users. Therefore, options B and C are correct and the other options are incorrect. References: Threat Protection (Malware Scan) - Netskope Knowledge Portal, Add a Policy for API Protection - Netskope Knowledge Portal

To allow the security team to use the test data file that was detected as a virus by the Netskope Heuristics Engine, the following two steps are correct:

Click the “Add To File Filter” button to add the IOC to a file list. This will exclude the file from future malware scans and prevent false positive alerts. The file list can be managed in the Settings > File Filter page1.

Click the “Lookup VirusTotal” button to verify if this IOC is a false positive. This will open a new tab with the VirusTotal report for the file hash. VirusTotal is a service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. The report will show how many antivirus engines detected the file as malicious and provide additional information about the file2.

https://docs.netskope.com/en/netskope-help/admin-console/incidents/

To allow users to transparently leverage the local security stack when they return to the office, you need to follow these two statements: A. You must enable On-premises Detection in the client configuration and C. You must disable Dynamic Steering in the traffic steering profile. On-premises Detection is a feature that allows the Netskope client to detect whether it is on-premises or off-premises based on a DNS or HTTP probe. You need to enable On-premises Detection in the client configuration and specify a domain name or an HTTP address that is only accessible from your local network3. Dynamic Steering is a feature that allows you to steer different types of traffic differently based on various criteria such as user group, location, category, etc. You need to disable Dynamic Steering in the traffic steering profile or create an exception for your local network to bypass Netskope and use your local security stack4. Therefore, options A and C are correct and the other options are incorrect. References: Client Configuration - Netskope Knowledge Portal, Dynamic Steering - Netskope Knowledge Portal

Integrating with EDR vendors like Crowdstrike requires an API Client ID for authentication and data sharing. A remediation profile is also necessary to define automated actions that can be taken when threats are detected, ensuring effective response to endpoint threats​​.

To create a custom malware detection profile, adding a quarantine profile ensures that detected threats are appropriately isolated. Additionally, a custom hash list as a blocklist allows you to block specific known malware hashes, further enhancing the customization of the malware detection profile​​.

Placing high-risk block policies at the top ensures that critical blocks are enforced first, protecting against the most severe threats. Additionally, an "allow all" Web Access policy at the bottom is not necessary, as policy defaults can handle remaining traffic not explicitly addressed by other rules​​.

To identify unusual user activity, filter alerts by "uba" (User Behavior Analytics) and "anomaly." UBA and anomaly alerts highlight deviations from typical user behavior, which are indicators of unusual or potentially risky activities​​.