Ramblings of a CyberSecurity Nerd

Regex in the Trenches: A SOC Analyst’s Guide to Hunting IOCs (Part 5 — Field Manual Snippets)

📌 Context

Regex isn’t useful if it only lives in your head. Analysts need a library they can copy, paste, and deploy when the pressure’s on. This section delivers a field-ready set of regex patterns for IPs, hashes, domains, emails, file paths, and timestamps — the core IOCs every SOC analyst hunts. Think of it as your regex go-bag.

🔬 Ready-to-Paste Patterns

IPv4

\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b

Practical, flexible IPv4 match. Use in firewall, proxy, or DNS logs.

IPv6

(?:[A-F0-9]{1,4}:){2,7}[A-F0-9]{1,4}

Catches common IPv6 formats. Expand with variants for compressed (::) addresses as needed.

Domains

([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}

Generic domain matcher. Use case: spotting suspicious DNS queries or URLs.

Emails

[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}

Flexible pattern for phishing detection across mail or proxy logs.

File Paths

  • Windows: [A-Z]:\\[^\s]+
  • Linux/Unix: \/[^\s]+

Hashes

  • MD5: \b[a-fA-F0-9]{32}\b
  • SHA1: \b[a-fA-F0-9]{40}\b
  • SHA256: \b[a-fA-F0-9]{64}\b

Timestamps

  • ISO 8601: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z
  • Apache: \[\d{2}/[A-Za-z]{3}/\d{4}:\d{2}:\d{2}:\d{2} [+-]\d{4}\]

📋 Incident Response Snippets

How to drop these patterns directly into tools:

  • grep IP hunt:
    grep -Eo "([0-9]{1,3}\.){3}[0-9]{1,3}" access.log | sort | uniq -c
  • Splunk SHA256 hunt:
    index=edr | regex hash="\b[a-fA-F0-9]{64}\b"
  • Suricata domain rule:
    alert http any any -> any any (msg:"Suspicious domain"; \ pcre:"/([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}/"; \ sid:100010; rev:1;)
  • YARA hash rule:
    rule IOC_Hash { strings: $sha256 = /\b[a-fA-F0-9]{64}\b/ condition: $sha256 }

🧾 Final Thoughts

This field manual isn’t theory — it’s meant for copy-paste deployment under fire. Regex is hard, but when you’ve got a kit of tested patterns, you don’t freeze. Whether you’re sweeping logs with grep, extracting fields in Splunk, or codifying detections in YARA, regex becomes a weapon instead of a headache. The series ends here, but your regex journey doesn’t — add patterns, refine them, and make this kit your own.

Published: September 8, 2025

Leave a comment