What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $49 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

Domain 2: Threats & VulnerabilitiesDomain 4: Security Operations8 min read

How to Solve Log Analysis PBQs on Security+

Log analysis PBQs test your ability to identify security incidents in real-world log data. This guide teaches you the exact methodology to spot brute force attacks, privilege escalation, and indicators of compromise.

Try a Free PBQ

Interactive simulation — no account required

What Is a Log Analysis PBQ?

On the Security+ exam, a log analysis performance-based question presents you with a set of security logs and asks you to identify specific entries that indicate a security incident. Unlike multiple choice questions where you pick from options, you're analyzing raw data and making decisions like a real security analyst.

You'll typically see authentication logs (SSH, Windows Event Logs), firewall logs, web server logs, or system logs. The question might ask you to:

Select all log entries showing a brute force attack
Identify the indicators of compromise in the logs
Determine which entries show unauthorized access
Find evidence of data exfiltration or lateral movement

Why This Matters

Log analysis PBQs appear on approximately 85% of Security+ exams and are worth 2-3x the points of standard multiple choice questions. Getting these right can be the difference between passing and failing.

The 4-Step Method for Log Analysis

When you see a log analysis PBQ, don't panic. Follow this systematic approach:

Read the question first. Know exactly what you're looking for before diving into the logs. Are you finding a brute force attack? Unauthorized access? Policy violations? This focuses your analysis.

Scan timestamps for patterns. Security incidents leave timing signatures. Brute force attacks show rapid successive attempts (milliseconds apart). Legitimate users don't authenticate 50 times in 10 seconds.

Check source IPs. Internal IPs (10.x.x.x, 172.16-31.x.x, 192.168.x.x) versus external IPs tell different stories. An external IP repeatedly hitting your SSH server is suspicious.

Look for the success after failures. Brute force attacks end one of two ways: the attacker gives up, or they get in. A string of FAILED attempts followed by SUCCESS from the same IP is a compromised account.

Common Attack Patterns in Logs

The Security+ exam tests your ability to recognize these specific patterns:

Brute Force Attack

Rapid failed login attempts from a single source, often targeting root/admin accounts.

FAILED password for root from 203.0.113.45 (×50 in 30 seconds)

Credential Stuffing

Failed logins across multiple usernames from the same source.

FAILED: admin, administrator, root, user1, guest...

Privilege Escalation

User attempting commands or access beyond their permissions.

sudo: jsmith : command not allowed ; COMMAND=/bin/cat /etc/shadow

Successful Compromise

Successful auth following multiple failures from the same IP.

FAILED ×47... then ACCEPTED password for root from 203.0.113.45

Walkthrough: Analyzing a Sample Log

Let's apply the 4-step method to a realistic example. Read through these logs and try to identify the security incident before reading the analysis:

auth.log — SSH Authentication Events

09:14:22INFOsshd: Accepted publickey for admin from 10.0.1.50 port 22

09:15:01INFOsshd: Accepted password for jsmith from 10.0.1.22 port 22

09:15:33ERRORsshd: Failed password for root from 203.0.113.45 port 22

09:15:34ERRORsshd: Failed password for root from 203.0.113.45 port 22

09:16:02WARNsudo: jsmith : TTY=pts/0 ; COMMAND=/usr/bin/apt update

09:17:44INFOsshd: Accepted password for dbadmin from 10.0.2.15 port 22

09:18:12CRITsshd: Accepted password for root from 203.0.113.45 port 22

09:18:15WARNsudo: root : TTY=pts/1 ; COMMAND=/usr/bin/cat /etc/shadow

Analysis

Step 1 — What are we looking for? Signs of unauthorized access or a security incident.

Step 2 — Timestamps: Lines 3-6 all occur within 1 second (09:15:33-34). That's not a human typing passwords—it's automated.

Step 3 — Source IP: 203.0.113.45 is an external IP (not in any private range). It's targeting the root account specifically.

Step 4 — The success: At 09:18:12, the same external IP successfully authenticates as root. Then immediately accesses /etc/shadow (the password hash file).

Conclusion: This is a successful brute force attack. The attacker gained root access and is now extracting password hashes for offline cracking. The highlighted lines are your indicators of compromise.

Ready to Practice?

Apply what you've learned with an interactive log analysis simulation.

Try a Free PBQ

Red Flags to Always Check

On exam day, train yourself to look for these specific indicators:

External IPs accessing internal services — Especially SSH (22), RDP (3389), or database ports
Failed attempts targeting privileged accounts — root, admin, administrator, sa, dba
Timestamps within milliseconds — Humans can't type that fast
Success after repeated failures — The attacker got in
Unusual commands after authentication — cat /etc/shadow, whoami, wget, curl to external IPs
Off-hours activity — Root login at 3 AM when no one should be working
Geographic impossibility — User logs in from New York, then Tokyo 5 minutes later

Frequently Asked Questions

What is a log analysis PBQ on the Security+ exam?

A log analysis PBQ presents you with security logs (authentication logs, firewall logs, system logs) and asks you to identify security incidents, indicators of compromise, or policy violations. You must select the log entries that show evidence of attacks like brute force attempts, unauthorized access, or data exfiltration.

How many PBQs are on the Security+ exam?

The Security+ SY0-701 exam typically has 4-5 performance-based questions out of 90 total questions. PBQs are worth more than standard multiple choice questions, often 2-3x the point value, making them critical for passing.

Should I skip PBQs and come back to them?

Many test-takers skip PBQs initially and return after completing multiple choice questions. This ensures you don't run out of time on easier questions. However, don't leave PBQs unanswered—their higher point value means they significantly impact your score.

What log types appear on the Security+ exam?

Common log types include SSH/authentication logs, Windows Event Logs, firewall logs, web server access logs (Apache/Nginx), and system logs. You should be comfortable recognizing the format and key fields in each type.

Other PBQ Types

Firewall Configuration Network Diagrams PKI & Certificates Access Control

Practice What You've Learned

Apply these concepts with an interactive Log Analysis simulation.

Try a Free PBQ →