Hadoop DemonBot detection

security

#1

Below you’ll find a bundle that will detect the Hadoop DemonBot. The bundle contains:

  1. A trigger for the detections. You can customize this to your environment (see the comments).
  2. A record format.
  3. A dashboard.
  4. An alert.
  5. A dynamic group definition, based on the “Hadoop” tag.

Once you install the bundle, go to your YARN servers and tag them with the case-sensitive tag named “Hadoop” and the rest will work automatically.

In the records you’ll see the first 1024 bytes of the commands that were issued against your YARN servers (if the detection gets a match).HadoopDemonBot.json (23.9 KB)


#4

Thanks for sharing this information with us. Excellent sharing!