EC-Council CTIA Module 4.6 Practice Test 002

This practice test covers Module 4 (Data Collection and Processing) Sub-module 6 (Data Processing and Exploitation).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 4.6 Practice Test 002

10 questions • Single best answer

Question 1

A threat intelligence analyst at a healthcare provider has gathered raw logs, feeds, and malware reports. Before analysis begins, these inputs must be converted into a structured, usable form. Which lifecycle phase covers this conversion of raw inputs?

A. Collection B. Dissemination C. Processing and exploitation D. Analysis

Question 2

An analyst is merging IoC records from several feeds that use different field names and timestamp formats. To compare them reliably, all records must be converted to one consistent structure. What is this conversion called?

A. Normalization B. Enrichment C. Attribution D. Sampling

Question 3

A government CTI team faces a dataset too large to examine in full before its deadline. They select a representative subset to review instead of the entire collection. Which technique are they applying?

A. Deduplication B. Normalization C. Indexing D. Data sampling

Question 4

A SOC ingesting overlapping threat feeds notices the same indicator appearing thousands of times. Storage and analysis suffer from these repeats. Which processing step removes the redundant entries?

A. Sampling B. Deduplication C. Tagging D. Enrichment

Question 5

An analyst converts free-text incident reports into fields such as indicator, type, and source. The goal is machine-readability for downstream tools. What is the primary purpose of this structuring?

A. Enable automated correlation B. Guarantee zero false positives C. Eliminate the need for analysis D. Replace the collection plan

Question 6

A new team member confuses gathering feed data with preparing it for use. The lead clarifies which activity transforms raw data into an analyzable form. Which activity is that?

A. Collection B. Direction C. Processing D. Dissemination

Question 7

A CTI team wants structured indicators exchanged in a common machine-readable schema during processing. They choose a widely adopted standard for representing threat data. Which format fits?

A. YARA B. STIX C. PCAP D. Syslog

Question 8

An analyst labels processed records with source, confidence, and collection-date attributes. This added descriptive information helps later filtering and analysis. What are these added attributes called?

A. Indicators B. Payloads C. Signatures D. Metadata

Question 9

After collection, an analyst discards irrelevant and low-value records to reduce noise before analysis. Only data meeting relevance criteria is retained. Which processing activity is described?

A. Sampling B. Normalization C. Filtering D. Enrichment

Question 10

A CTI program manager maps the lifecycle order for the team. They ask which phase immediately follows collection and prepares data for the analysis phase. Which phase is it?

A. Processing and exploitation B. Dissemination C. Planning and direction D. Feedback

EC-Council CTIA Module 4.6 Practice Test 002

Related Posts

Leave a Comment Cancel Reply