Sign In
Ridgeline Skill

For SOC Analysts, IR Practitioners, and Security Engineers

Log Analysis with Regex

Focused skills. One capability. Production-ready.

Write regular expression patterns that extract IPs, timestamps, usernames, URLs, and error codes from any log format. Grep, sed, awk, and PowerShell regex — the universal parser for every log source you will encounter.

Start Skill See Full Curriculum + Pricing

Text-based · Persistent labs on your own hardware · 2 free modules available now · Content last updated: May 2026

What you'll deploy
Regex patterns for Windows, Linux, and network log parsing
Multi-format log normalization techniques
Extraction patterns for security-relevant fields

Sections

RX0.1
Regex Fundamentals for Security — Character classes, quantifiers, anchors, groups, and alternation. The 10 patterns every analyst needs: IP addresses, email addresses, URLs, timestamps, hex strings, Base64, Windows paths, registry paths, UUIDs, and hashes. Testing with regex101.com.
 RX0.2
grep Patterns for Log Hunting — grep, egrep, and grep -P (Perl regex). Recursive search, context lines, invert match, count, and file listing. 15 security-specific grep patterns: finding IPs in logs, extracting failed logins, hunting for Base64 blobs, filtering by time ranges.
 RX0.3
sed and awk for Log Transformation — sed for search-and-replace, field extraction, and log normalization. awk for column-based processing, aggregation, and report generation. Practical workflows: normalizing timestamps across log sources, extracting fields from unstructured logs, and building frequency tables.
 RX0.4
PowerShell Regex for Windows LogsSelect-String, -match, -replace, and [regex]::Matches(). Named capture groups. Parsing Windows Security events, PowerShell ScriptBlock logs, and Defender alerts. Building log parsing functions.
 RX0.5
Parsing Real-World Log Formats — Complete parsing recipes for 6 log formats: Apache/Nginx access logs, Windows Security XML events, syslog (RFC 5424), Palo Alto firewall logs, AWS CloudTrail JSON, and Squid proxy logs. Each with a regex pattern, field extraction, and an IOC-hunting one-liner.
 Lab
Guided Lab: Parse the INC-2026-0501 Log Bundle — You receive a bundle of mixed-format logs from the NE incident: Windows Security events (XML), Palo Alto firewall logs (CSV), proxy logs, and DNS query logs. Extract all IPs that communicated with the C2 server, build a timeline of authentication events, and produce a consolidated IOC list — all using regex.