Which statement is correct in this scenario?

You built a number of DLP profiles for different sensitive data types. If a file contains any of this sensitive data, you want to take the most restrictive policy action but also create incident details for all matching profiles.

Which statement is correct in this scenario?
A . Create a Real-time Protection policy for each DLP profile; each matched profile will generate a unique DLP incident.
B . Create a Real-time Protection policy for each DLP profile; all matched profiles will show up in a single DLP incident
C . Create a single Real-time Protection policy and include all of the DLP profiles; each matched profile will generate a unique DLP incident
D . Create a single Real-time Protection policy and include all of the DLP profiles; all matched profiles will show up in a single DLP incident.

View Answer

Answer: D

Explanation:

When configuring a Real-time Protection policy with multiple DLP profiles, if the content matches multiple profiles, the policy performs the most restrictive action associated with the DLP profiles that match for that policy. The resulting incident lists all the profiles that matched along with their corresponding forensic information. This means that even though the most restrictive action is taken, details for all matching profiles are created and included in a single DLP incident12.

Reference: The explanation is based on the best practices and detailed descriptions provided in the Netskope Knowledge Portal and Community discussions, which outline the process of handling multiple DLP profile matches within a single Real-time Protection policy