EC-Council CTIA Module 4.7 Practice Test 001

This practice test covers Module 4 (Data Collection and Processing) Sub-module 7 (Threat Data Collection and Enrichment in Cloud Environments).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 4.7 Practice Test 001

10 questions • Single best answer

Question 1

A CTI analyst at a cloud-native organization needs to collect threat data from their AWS environment. She wants to capture API call history, user authentication events, and resource configuration changes across all regions. Which AWS service is the primary data collection source?

A. Amazon S3 event notifications B. AWS CloudTrail C. AWS Lambda function logs D. Amazon CloudFront access logs

Question 2

A security team supporting a multi-cloud environment (AWS, Azure, GCP) wants to centralize threat data collection from all three cloud platforms into a single analysis pipeline. Which approach best addresses the multi-cloud collection challenge?

A. Manually exporting logs from each platform's console on a weekly basis B. Deploying a cloud-agnostic SIEM or CSPM tool that ingests native logs from all three platforms via APIs C. Selecting only one cloud platform for threat data collection and ignoring the other two D. Relying exclusively on the cloud providers' built-in security dashboards without exporting data

Question 3

An analyst enriching cloud threat data wants to add context to suspicious IAM role activity detected in Azure. She queries a threat intelligence platform for historical data on the IP addresses used in the suspicious logins. Which enrichment technique is she applying?

A. Cloud workload profiling B. Indicator enrichment using external threat intelligence lookups C. Cloud security posture assessment D. Vulnerability scanning of Azure virtual machines

Question 4

A CTI team collects flow logs from a cloud VPC to analyze lateral movement patterns. They notice a large volume of east-west traffic between cloud workloads following an initial compromise. Which cloud-native log type provides this network traffic visibility?

A. Cloud audit logs recording administrative API calls B. VPC flow logs capturing source/destination IP, port, and protocol for network connections C. Object storage access logs for S3 bucket reads D. DNS resolution logs from on-premises resolvers

Question 5

A CTI analyst investigates a cloud compromise where credentials were stolen from a misconfigured storage bucket. She wants to trace all actions taken by the compromised IAM credentials after theft. Which data source is most valuable for this investigation?

A. Cloud billing and cost management reports B. Cloud load balancer access logs C. Cloud audit trail logs recording all API calls made by the compromised IAM identity D. Cloud content delivery network (CDN) logs

Question 6

A cloud security team wants to enrich cloud threat data with context about which cloud resources are publicly exposed, misconfigured, or lack encryption. Which tool category provides this enrichment capability?

A. Vulnerability scanner targeting on-premises physical servers B. Cloud Security Posture Management (CSPM) platform C. Network intrusion prevention system (IPS) D. Endpoint detection and response (EDR) agent

Question 7

A threat intelligence analyst at a SaaS company wants to collect threat data from their Kubernetes clusters running in GCP. Which data sources are most relevant for detecting container-level threats and anomalous workload behavior?

A. On-premises firewall syslog feeds and Windows Event logs B. Kubernetes audit logs, container runtime logs, and GCP Cloud Logging C. Physical data center access badge logs D. Email gateway spam filter reports

Question 8

A CTI team managing a hybrid cloud environment wants to unify threat data collection from both on-premises SIEM logs and cloud-native telemetry into a single platform for correlated analysis. What is the primary challenge this integration must address?

A. Reducing the number of on-premises physical servers B. Data format inconsistency and schema differences between on-premises and cloud log sources C. Replacing the cloud provider with a private data center D. Eliminating all cloud-native logging to reduce data volume

Question 9

An analyst investigating a cloud breach enriches collected threat data by correlating observed malicious IP addresses against a threat intelligence feed and appending each IP with associated threat actor profiles, geolocation, and ASN data. This enriched dataset is then ingested into the cloud SIEM for detection rule creation. What is the correct sequence of activities described?

A. Collection → Dissemination → Attribution → Reporting B. Collection → Enrichment → Analysis/Detection rule creation C. Dissemination → Enrichment → Collection → Reporting D. Analysis → Collection → Enrichment → Dissemination

Question 10

A CTI team at a financial services company operating in the cloud wants to automatically enrich newly observed indicators (IPs, domains, hashes) with threat intelligence context as they are collected from cloud logs. Which integration approach enables real-time, automated enrichment?

A. Monthly batch export of cloud logs to a shared network folder for manual analyst review B. API-based integration between the cloud SIEM and a threat intelligence platform (TIP) using automated enrichment workflows C. Forwarding raw cloud logs via email to the CTI team's distribution list D. Printing cloud alert summaries and distributing them in weekly team meetings

EC-Council CTIA Module 4.7 Practice Test 001

Related Posts

Leave a Comment Cancel Reply