🧠 Practice Questions

You’ve made it through the full series — regex basics, IOC patterns, tool integration, and pitfalls. Now it’s time to pressure-test your knowledge. Below are 20 practice questions, randomized in difficulty, to simulate the chaos of real SOC work. Mix of multiple choice and short answer. Answers are at the bottom with spacing so you don’t get lost in a wall of text.

1. Concept Check:

What does the metacharacter . match by default?

A. Any whitespace character
B. A newline
C. Any single character except newline
D. End of line marker

2. IOC Hunt:

Which regex correctly matches a SHA256 hash?

A. \b[a-fA-F0-9]{40}\b
B. \b[a-fA-F0-9]{64}\b
C. \b[a-fA-F0-9]{32}\b
D. [0-9a-f]{20}

3. Anchors:

Write a regex that matches only lines starting with ALERT.

4. Intermediate:

Which regex will correctly match both “color” and “colour”?

A. colou?r
B. colou*r
C. color|colour
D. col[ou]{0,1}r

5. Applied:

What does this command do?

grep -E -o '\d{1,3}(\.\d{1,3}){3}' access.log | sort | uniq -c | sort -nr | head

6. Quick Hit:

Which flag makes grep case-insensitive?

A. -c
B. -i
C. -n
D. -v

7. Danger Zone:

Why is .*admin.* considered dangerous in Splunk searches?

8. Regex Logic:

What does (foo|bar) match?

A. foo
B. bar
C. foobar
D. Both A and B

9. Hard:

Write a regex that matches ISO8601 timestamps like 2023-09-08T13:45:22Z.

10. IOC Hunt:

Which regex matches a Windows file path?

A. [A-Z]:\\[\w\\-]+
B. [A-Z]{1,2}:\/[^\/]+
C. \/Users\/.*
D. c:/\w+

11. Greedy vs Lazy:

On [error][critical], what’s the difference between:

\[.*\] and \[.*?\]

12. Intermediate:

Which regex flags suspicious file extensions like .exe, .bat, or .scr?

A. \.(exe|bat|scr)$
B. \.\w{3}$
C. .*\.bat
D. \.exe|\.bat|\.scr

13. Tool Use:

In Splunk, what’s the difference between | regex and | rex?

14. Concept:

What does \b mean in regex?

A. Backreference
B. Word boundary
C. Newline
D. Line break

15. Advanced:

Write a regex that matches valid IPv4 addresses (excluding 999.999.999.999).

16. Applied:

What does this command output?

grep -o 'ERROR' app.log | wc -l

17. IOC Check:

Which regex would catch email addresses?

A. \S+@\S+\.\S+
B. \w+@\w+\.\w{2,4}
C. [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}
D. All of the above

18. Suricata:

In this rule, what is the regex catching?

pcre:"/([a-z0-9-]+\.){1,}[a-z]{2,}/";

19. Intermediate:

What does this regex match?

[A-F0-9]{2}(:[A-F0-9]{2}){5}
A. IPv6 addresses
B. MAC addresses
C. SHA1 hashes
D. File permissions

20. Hard:

Write a regex that matches domains ending in .ru but not .com.

✅ Answers

1.

C. Any single character except newline

2.

B. \b[a-fA-F0-9]{64}\b

3.

^ALERT

4.

A. colou?r

5.

Extracts IPs, counts them, shows top 10 frequent IPs from logs

6.

B. -i

7.

It’s greedy and unanchored — matches too much, leads to false positives

8.

D. Both A and B

9.

\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z

10.

A. [A-Z]:\\[\w\\-]+

11.

Greedy \[.*\] captures everything; lazy \[.*?\] stops early

12.

A. \.(exe|bat|scr)$

13.

regex filters entire events; rex extracts fields

14.

B. Word boundary

15.

\b((25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.){3}(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\b

16.

Number of times “ERROR” appears in app.log

17.

D. All of the above

18.

Fully qualified domain names like sub.example.com

19.

B. MAC addresses

20.

[a-zA-Z0-9\-]+\.(?!com)\bru$

📘 Final Thoughts

If you made it through all 20, congrats — this was no beginner test. Use these drills to stay sharp, build regex intuition, and write faster detections under pressure. You’ve got this.

Published: September 8, 2025