NCC Group DDoS Secure

The IBM® QRadar® DSM for NCC Group DDoS Secure collects events from NCC Group DDoS Secure devices.

The following table describes the specifications for the NCC Group DDoS Secure DSM:

Table 1. NCC Group DDoS Secure DSM specifications
Specification	Value
Manufacturer	NCC Group
DSM name	NCC Group DDoS Secure
RPM file name	DSM-NCCGroupDDoSSecure-`QRadar_version-build_number`.noarch.rpm
Supported versions	5.13.1-2s to 5.16.1-0
Protocol	Syslog
Event format	LEEF
Recorded event types	All events
Automatically discovered?	Yes
Includes identity?	No
Includes custom properties?	No
More information	NCC Group website (https://www.nccgroup.trust/uk/)

To integrate NCC Group DDoS Secure with QRadar, complete the following steps:

If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM Support Website onto your QRadar Console:
- DSMCommon RPM
- NCC Group DDoS Secure DSM RPM
Configure your NCC Group DDoS Secure device to send syslog events to QRadar.
If QRadar does not automatically detect the log source, add an NCC Group DDoS Secure log source on the QRadar Console. The following table describes the parameters that require specific values to collect event from NCC Group DDoS Secure:
Table 2. NCC Group DDoS Secure log source parameters

Parameter Value

Log Source type NCC Group DDoS Secure

Protocol Configuration Syslog

Table 2. NCC Group DDoS Secure log source parameters
Parameter	Value
Log Source type	NCC Group DDoS Secure
Protocol Configuration	Syslog

To verify that QRadar is configured correctly, review the following table to see an example of a normalized event message.

The following table shows a sample event message from NCC Group DDoS Secure:

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Event name Low level category Sample log message

TCP Attack - Port Scan - END

Host Port Scan

Table 3. NCC Group DDoS Secure sample message
Event name	Low level category	Sample log message
TCP Attack - Port Scan - END	Host Port Scan	`<134>LEEF:1.0\|NCCGroup\|DDoS Secure\|5.16.2-1\|4078\|desc=TCP Attack - Port Scan sev=4 myip=<IP_address proto=TCP scrPort=0 dstPort=0 src=<Source_IP_address> dst=<Destination_IP_address> cat=END devTime=2017-06-05 11:26:00 devTimeFormat=yyyy-MM-dd HH:mm:ss end=2017-06-05 11:34:33 CurrentPps=0 PeakPps=14 totalPackets=243 realm=<Domain> action=DROP`

<134>LEEF:1.0|NCCGroup|DDoS Secure|5.16.2-1|4078|desc=TCP Attack - Port Scan    sev=4    myip=<IP_address    proto=TCP    scrPort=0    dstPort=0    src=<Source_IP_address>    dst=<Destination_IP_address>    cat=END    devTime=2017-06-05 11:26:00    devTimeFormat=yyyy-MM-dd HH:mm:ss    end=2017-06-05 11:34:33    CurrentPps=0    PeakPps=14    totalPackets=243    realm=<Domain>    action=DROP