Zscaler Digital Transformation Administrator ZDTA New Questions

Microsoft Information Protection labels imported into ZIA are used as criteria in DLP policy enforcement. A custom DLP policy can inspect data in motion and take actions based on the sensitivity labels attached to documents. Option D (Creating a custom DLP Policy) is correct because MIP labels are consumed in DLP policy logic, not in PAC, file type, or posture policies.

Why the other options are incorrect:

A. Creating a custom DLP Dictionary: A custom DLP Dictionary defines match patterns. Imported MIP labels are used in DLP policy conditions/actions, not turned into a dictionary.

B. Creating a SaaS Security Posture Control Policy: SSPM checks SaaS tenant configuration, risky settings, and compliance posture.

C. Creating a File Type Control Policy: File Type Control classifies and restricts uploads or downloads by file type, regardless of filename tricks.

Cloud Sandbox is built for unknown and suspicious files, especially when static signatures are not enough. The file is detonated in an isolated environment so Zscaler can observe behavior and assign a verdict before allowing it to reach users. Option C (Identify Zero-Day Threats) is correct because sandboxing is most valuable for identifying zero-day threats and advanced malware behavior.

Why the other options are incorrect:

A. Block malware that we have previously identified: Known-malware blocking is signature/reputation enforcement. Cloud Sandbox adds value by analyzing unknown files before a known signature exists.

B. Build a test environment where we can evaluate the result of policies: A test environment for policy evaluation is a lab function. Cloud Sandbox is a malware detonation and behavior-analysis service.

D. Balance threat detection across customers around the world: Balancing detection across customers describes cloud-scale operations. Sandbox’s student-level purpose is to detonate and classify suspicious files.

Zscaler Data Protection is primarily adopted to prevent sensitive data from leaving through internet and cloud application channels. The service combines inline DLP, SaaS Security API, endpoint controls, and data discovery to protect data in motion, at rest, and in use. Option C (Prevent loss to Internet and Cloud Apps) is correct because preventing loss to internet and cloud apps is a core data-protection use case.

Why the other options are incorrect:

A. Reduce your Internet Attack Surface: Attack surface is the set of exposed services, addresses, applications, and entry points an attacker can discover.

B. Prevent download of Malicious Files: Blocking malicious downloads is threat protection through malware, ATP, sandbox, or file controls rather than DLP for sensitive data loss.

D. Securely connect users to Private Applications: Secure private-app connectivity is the ZPA use case, not Zscaler Data Protection.

File Type Control reduces exposure by limiting which file categories users can download or upload, especially from risky or untrusted destinations. It is not a monitoring score or administrative RBAC control; it is a content-control policy that directly limits malicious or high-risk file exposure. Option C (File type Controls) is correct because File Type Control can block dangerous content classes before they reach the endpoint.

Why the other options are incorrect:

A. Role Based Access control (RBAC): RBAC limits administrator privileges by role and scope; it does not inspect user web content or files.

B. Bandwidth Controls: Bandwidth Control shapes outbound traffic to manage congestion and prioritize business use.

D. Zscaler Digital Experience: ZDX monitors experience and helps troubleshoot performance. It does not limit malicious file/content exposure through policy enforcement.