I've been checking manually for Brute Force attempts and I've noticed 99% of them come from attacks using Cyrillic character sets.
I've been trying to find the right query to setup an alert when we find non alphanumeric characters being used like cyrillic.
I've been trying to filter using event.type:"authentication_failure" and NOT [a-z]
KQL doesn't support regular expressions but Lucene does, so you might be able to use it to do what you need.
The nitty gritty of Unicode is a bit out of my wheelhouse but I did a little searching. While some regex engines support "Unicode scripts" which allow matching on characters from particular languages, it seems Elasticsearch's regex implementation does not support these. You may want to create an enhancement request on Elasticsearch's github repo. I can't think of any other good way to match on certain character sets at query time.
It might be easier to flag documents containing certain characters at index time.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.