EC-Council CTIA Module 7.2 Practice Test 001

This practice test covers Module 7 (Threat Hunting and Detection) Sub-module 2 (Threat Hunting Automation).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 7.2 Practice Test 001

10 questions • Single best answer

Question 1

A threat hunting team wants to automate the execution of repetitive hunt queries across their environment and have results automatically flagged for analyst review when anomalies are detected. Which tool category best enables this automated hunting capability?

A. A manual threat intelligence report generator B. A SOAR platform with scheduled hunt playbooks and automated anomaly flagging C. A network packet capture tool for manual traffic analysis D. A data retention policy enforcement system

Question 2

A threat hunter writes a Python script that queries the organization's SIEM API for unusual PowerShell execution patterns, compares results against a baseline of normal PowerShell usage, and automatically creates tickets for deviations exceeding a defined threshold. This automation example demonstrates what benefit?

A. Replacing human analysts entirely with Python automation B. Scaling repetitive hunting query execution and baseline comparison without continuous manual analyst effort C. Generating threat intelligence reports from hunt results automatically D. Performing passive DNS data collection from external sources

Question 3

A threat hunting team integrates their threat intelligence platform with their SIEM via API. When a new threat actor TTP is added to the TIP, the system automatically generates and deploys a corresponding hunt query to the SIEM. This closes the loop between which two intelligence lifecycle activities?

A. Data collection and data normalization B. Intelligence production and hunting/detection operationalization C. Collection planning and source reliability assessment D. Executive reporting and board approval

Question 4

A threat hunting team uses Jupyter Notebooks to document and share hunt methodologies, including the data sources queried, hunt logic, and findings from previous campaigns. When a new threat intelligence report suggests a new hunting hypothesis, they adapt an existing notebook for the new scenario. What advantage does notebook-based hunting documentation provide?

A. It encrypts hunt findings to prevent unauthorized access B. It creates reproducible, shareable, and iteratively improvable hunt workflows that combine code, data, and analysis documentation C. It automatically deploys hunt findings as SIEM detection rules D. It replaces the need for a SIEM in the hunting workflow

Question 5

A threat hunter creates a hunt automation that uses machine learning-based anomaly detection to establish baseline behavior profiles for each user and device, then automatically flags deviations from these profiles for analyst review. This approach to hunting automation is based on what principle?

A. Signature-based detection matching known malicious patterns B. Behavioral baseline deviation detection using anomaly analysis C. Manual review of all user activities by senior analysts D. Bulk data collection from external threat feeds

Question 6

A threat hunting team at a financial services company automates hunting using a Python script that ingests STIX indicators from their TIP, translates them to KQL queries, and submits them to Microsoft Sentinel for scheduled execution. This script represents which automation capability?

A. Manual KQL query writing session by a senior analyst B. Automated indicator-to-hunting-query translation and scheduled execution C. Passive DNS data enrichment for collected indicators D. Intelligence dissemination to executive dashboards

Question 7

A threat hunting automation system identifies 500 behavioral anomalies per day from automated queries. Due to analyst capacity constraints, only 20 anomalies can be manually investigated. The team implements an automated scoring and prioritization system that ranks anomalies by severity, intelligence correlation, and asset criticality. What problem does this system solve?

A. It eliminates the need for human analysts to investigate any anomalies B. It prioritizes the analyst queue to ensure the most significant anomalies receive human investigation first C. It automatically closes all 480 unreviewed anomalies as false positives D. It increases the number of anomalies detected to 1000 per day

Question 8

A threat hunting team uses threat intelligence to drive automated hunting automation campaigns. After each campaign, findings are fed back into the CTI team's knowledge base and used to improve future hunting hypotheses. This iterative feedback loop is an example of what?

A. A one-time hunting exercise with no follow-up B. Continuous improvement through hunter-intelligence feedback integration C. Fully automated hunting that requires no analyst input D. A collection plan revision process

Question 9

A threat hunter uses the MITRE ATT&CK framework within an automated hunting platform to map the organization's current detection coverage, identify technique gaps, and automatically generate hunt queries for uncovered ATT&CK techniques. What does the automated gap-identification component specifically enable?

A. Generating vendor procurement proposals for new security tools B. Systematic identification of ATT&CK technique gaps in detection coverage, prioritizing future hunting investments C. Automatic attribution of all detected techniques to specific threat actors D. Replacing the need for human-written hunt queries

Question 10

A CTI-driven threat hunting automation platform receives a new STIX indicator bundle containing a malware hash, an associated domain, and a MITRE ATT&CK technique pattern. The platform automatically: (1) queries endpoints for the hash via EDR, (2) queries DNS logs for the domain, and (3) runs an ATT&CK-based behavioral hunt query in the SIEM. All three actions occur simultaneously within 3 minutes. What automation capability does this describe?

A. Sequential manual hunting by a senior analyst across three tools B. Parallel automated multi-source hunt orchestration triggered by intelligence ingestion C. Batch processing of intelligence reports for weekly executive briefings D. Real-time network traffic blocking based on the ingested domain

EC-Council CTIA Module 7.2 Practice Test 001

Related Posts

Leave a Comment Cancel Reply