KQL Query for non alphanumeric character sets

I've been checking manually for Brute Force attempts and I've noticed 99% of them come from attacks using Cyrillic character sets.

I've been trying to find the right query to setup an alert when we find non alphanumeric characters being used like cyrillic.

I've been trying to filter using event.type:"authentication_failure" and NOT [a-z]

@Bargs interesting question. Can we please get some help?


KQL doesn't support regular expressions but Lucene does, so you might be able to use it to do what you need.


Thanks @Bargs

Is there an example like using AND user.name NOT [a-z]

The nitty gritty of Unicode is a bit out of my wheelhouse but I did a little searching. While some regex engines support "Unicode scripts" which allow matching on characters from particular languages, it seems Elasticsearch's regex implementation does not support these. You may want to create an enhancement request on Elasticsearch's github repo. I can't think of any other good way to match on certain character sets at query time.

It might be easier to flag documents containing certain characters at index time.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.