There are over 60 alarm types that NormShield Cloud produces when utilized with full license, including SOC Radar and Cyber Threat Intelligence. These alarms can be integrated with a local SIEM through the SIEM Integration API. However, NormShield also provides a Windows standalone console middleware application, NSSIEM, between NormShield Cloud and your local SIEM tool.
In order to get NSSIEM you must own a NormShield Cloud account and a SIEM API Token will be generated for you in Admin->Settings (General Settings) under Company Token.
Download link for NSSIEM Windows standalone console application will also be provided next to the API token. Minimum of .NET 4.5 should be installed on the target machine.
Extract the download file and type "NSSiem.exe -h" for help notes.
In order to get new alarms/vulnerabilities from Cloud and send to your SIEM, the configuration should be fulfilled. NSSiem.exe.config file is there for this purpose. Open the file in your favorite text editor and follow the directions/comments for filling the values including the SIEM API Token you get from Cloud. Here's a simple example configuration;
After you are sure about the configuration, type NSSiem.exe -t for sending test vulnerabilities and alarms to your SIEM and check whether they are being sent.
When everything is ok, make sure you schedule the NSSiem.exe executable to run in every 1 or 2 minutes. Two dat files will be created under the installation directory; lastsyslogalarmanchorid.dat (previously lastsyslogalarmanchordate.dat) and lastsyslogvulnerabilityanchorid.dat (previously lastsyslogvulnerabilityanchordate.dat). These files keep track of the last run dates of NSSiem.exe and fetch recent alarms and vulnerabilities from Cloud not the old ones.