thor-lens
THOR Lens workflows for forensic timeline analysis. A web UI that imports THOR v11 audit trail JSONL logs for interactive exploration. Requires THOR v11 (audit trail not available in v10).
Best use case
thor-lens is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
THOR Lens workflows for forensic timeline analysis. A web UI that imports THOR v11 audit trail JSONL logs for interactive exploration. Requires THOR v11 (audit trail not available in v10).
Teams using thor-lens should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/thor-lens/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How thor-lens Compares
| Feature / Agent | thor-lens | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
THOR Lens workflows for forensic timeline analysis. A web UI that imports THOR v11 audit trail JSONL logs for interactive exploration. Requires THOR v11 (audit trail not available in v10).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# THOR Lens Skill THOR Lens is a forensic timeline viewer that transforms THOR v11 audit trail files into an interactive exploration interface. **Critical Boundary**: - THOR Lens is a **web UI application** - users interact in the browser - The CLI handles **build**, **import**, and **serve** - not scanning - THOR Lens **does not scan** - it visualizes data from THOR scans - Requires **THOR v11** audit trail output (v10 does not produce this format) - **Not compatible with THOR Lite** - Lite cannot generate audit trail output ## Quickstart ```bash # 1. Clone and build git clone https://github.com/NextronSystems/thor-lens.git cd thor-lens make build # 2. Import an audit trail ./thorlens import --log /path/to/audit.jsonl --case mycase # 3. Serve and open browser ./thorlens serve --case ./cases/mycase --port 8080 # Open http://127.0.0.1:8080 ``` ## When to Use THOR Lens - Investigating timelines from THOR v11 scans - Correlating events across time ranges - Exploring high-score detections and their context - Annotating findings with tags, comments, bookmarks - MCP integration with Claude Code for AI-assisted analysis ## References - [Quickstart](reference/quickstart.md) - Get running in 5 minutes - [Build & Prerequisites](reference/build-and-prereqs.md) - Go, Node.js, make requirements - [Import & Cases](reference/import-and-cases.md) - Importing audit trails, case structure - [Serve & UI](reference/serve-and-ui.md) - Web server, UI features, keyboard shortcuts - [MCP Integration](reference/mcp-integration.md) - Claude Code setup, MCP tools - [Audit Trail Generation](reference/audit-trail-generation.md) - THOR v11 commands for audit trail ## Troubleshooting - [Common Issues](troubleshooting/common-issues.md) - Build, import, serve problems - [Empty UI](troubleshooting/empty-ui.md) - Why the timeline shows nothing - [MCP Issues](troubleshooting/mcp-issues.md) - Connection and configuration problems ## Examples - [End-to-End Local](examples/end-to-end-local.md) - Full workflow on local machine - [Case from Mounted Image](examples/case-from-mounted-image.md) - Forensic image workflow - [Case from SSHFS](examples/case-from-sshfs.md) - Remote system via SSH mount ## Helper Scripts - [scripts/validate_audit_trail.sh](scripts/validate_audit_trail.sh) - Check audit trail file validity - [scripts/case_inventory.sh](scripts/case_inventory.sh) - List case contents and stats ## Key Facts | Item | Value | |------|-------| | Upstream repo | https://github.com/NextronSystems/thor-lens | | Default port | 8080 | | Case storage | `./cases/<name>/` | | Input format | JSONL (`.jsonl` or `.jsonl.gz`) | | MCP stdio | `./thorlens serve --case <path> --mcp-stdio` | | MCP HTTP | `http://localhost:8080/mcp` (default) | ## Workflow Rules 1. Always verify audit trail was generated with THOR v11 before importing 2. Use `--virtual-map` and `-j` during THOR scans to preserve path/hostname context 3. MCP stdio mode is recommended for Claude Code integration 4. Never expose MCP HTTP endpoint publicly (no authentication) 5. If user has THOR Lite, explain that Lens is not an option - Lite lacks audit trail capability. See [THOR Lite limitations](../thor-lite/reference/limitations.md).
Related Skills
thor-troubleshooting
Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.
thor-scan
Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.
thor-plugins
Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.
thor-maintenance
Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation.
thor-log-analysis
Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.
THOR Lite Skill
THOR Lite is a free scanner with reduced features compared to full THOR. This skill handles Lite-specific guidance, limitations, and workarounds.
thor-db
Analyze THOR's SQLite database (thor10.db/thor11.db) for performance tuning, scan timing, resume state, and delta comparisons. Use when investigating slow scans, debugging performance, or understanding what THOR tracked.
thor-skills
Entry point and router for THOR-related work: running scans, analyzing THOR logs, troubleshooting THOR behavior, maintaining THOR installs, THOR Lens workflows, writing THOR plugins (v11+), and creating custom signatures/IOCs.
custom-signatures
Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.
cairo-contract-authoring
Guides Cairo smart-contract authoring on Starknet with language fundamentals, safe structure choices, component composition, and implementation workflow references.
aod-lens
Routes to 14 structured thinking methodologies (lenses) for systematic analysis. Use this skill when you need to think through problems, apply thinking lenses, reason through decisions, or perform systematic analysis. Auto-selects appropriate lens based on context - 5 Whys for failures, Pre-Mortem for risks, First Principles for assumptions, Systems Thinking for architecture, Four Causes for understanding, Cargo Cult Detection for validation, Golden Mean for calibration.
testing-api-for-broken-object-level-authorization
测试REST和GraphQL API中的越权对象访问(BOLA/IDOR)漏洞,即已认证用户通过操纵API请求中的对象标识符 来访问或修改属于其他用户的资源。测试人员拦截API调用,识别对象ID参数(数字ID、UUID、slug), 并系统性地替换为其他用户的ID,以确定服务器是否执行了对象级授权。 对应OWASP API安全Top 10 2023 API1(越权对象访问)。