thor-log-analysis

Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.

9 stars

Best use case

thor-log-analysis is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.

Teams using thor-log-analysis should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/thor-log-analysis/SKILL.md --create-dirs "https://raw.githubusercontent.com/Nextron-Labs/thor-skill/main/thor-log-analysis/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/thor-log-analysis/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How thor-log-analysis Compares

Feature / Agentthor-log-analysisStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# THOR Log Analysis Skill

Goal: turn raw THOR output into an investigation plan.

## Analysis Approach

THOR performs live forensic analysis and highlights suspicious elements using signatures. The analyst's job is to evaluate these findings using additional data sources and context.

### Triage Priority

1. **Alerts first** (score 81+) - High-confidence malicious findings
2. **Warnings second** (score 60-80) - Medium-confidence suspicious activity
3. **High-signal Notices** (score 40-59) - YARA matches, known-bad hashes
4. **Low-signal Notices** - Anomaly scores, generic patterns

### Key Principle: High Quantity Reduces Relevance

In contrast to firewall logs, a high number of a particular THOR finding **decreases** its relevance:
- If detected on 100+ endpoints → likely false positive
- If detected on 1-30 endpoints → more likely significant
- Exceptions: confirmed malware campaigns targeting many systems

### Analysis Methods

Two recommended approaches (often combined):

1. **Sort by score (descending)** - Process top-scoring events down to score 80
2. **Analyze by module** - Then switch to module-based analysis with relevant columns

Example workflow:
1. Filter to Alerts and Warnings
2. Process top scores first
3. Group by module (FileScan, ProcessCheck, etc.)
4. Select characteristic fields per module (e.g., FILE + MAIN_REASON for FileScan)

## Rules

- Group by detection type/module (YARA, Sigma, IOC, Anomaly) and by file/path
- For each relevant finding: explain what it is, why it triggered, and what to verify next
- Be explicit when something is likely benign (common false positives)
- Use external tools (VirusTotal, Valhalla, Hybrid Analysis) to verify findings

## References

- [Scoring and Priorities](reference/scoring-and-priorities.md) - Score levels, triage order
- [Common False Positives](reference/common-fps.md) - Known FP patterns by module
- [Module Notes](reference/module-notes.md) - Understanding each THOR module
- [Attribute Evaluation](reference/attribute-evaluation.md) - How to assess finding attributes
- [Analysis Tools](reference/analysis-tools.md) - External tools for verification

## Helper Script

If user provides a log file path, run `scripts/summarize_thor_log.py` to extract a compact summary.

## Output Format

- **Summary** (5-15 lines): What's going on, what stands out
- **Findings table**: Score, type/module, target, why it matters
- **Next steps**: 3-7 concrete follow-ups

## Quick Assessment Questions

For each finding, ask:

1. Is the file digitally signed by a trusted vendor?
2. Is it in an expected location for that software?
3. Does the user's role justify having this tool?
4. Does VirusTotal show low/zero detections?
5. Has this file been in place for a long time unchanged?

If YES to most → Likely FP, document and filter.
If NO to most → Treat as suspicious, investigate further.

Related Skills

thor-troubleshooting

9
from Nextron-Labs/thor-skill

Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.

thor-scan

9
from Nextron-Labs/thor-skill

Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.

thor-plugins

9
from Nextron-Labs/thor-skill

Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.

thor-maintenance

9
from Nextron-Labs/thor-skill

Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation.

THOR Lite Skill

9
from Nextron-Labs/thor-skill

THOR Lite is a free scanner with reduced features compared to full THOR. This skill handles Lite-specific guidance, limitations, and workarounds.

thor-lens

9
from Nextron-Labs/thor-skill

THOR Lens workflows for forensic timeline analysis. A web UI that imports THOR v11 audit trail JSONL logs for interactive exploration. Requires THOR v11 (audit trail not available in v10).

thor-db

9
from Nextron-Labs/thor-skill

Analyze THOR's SQLite database (thor10.db/thor11.db) for performance tuning, scan timing, resume state, and delta comparisons. Use when investigating slow scans, debugging performance, or understanding what THOR tracked.

thor-skills

9
from Nextron-Labs/thor-skill

Entry point and router for THOR-related work: running scans, analyzing THOR logs, troubleshooting THOR behavior, maintaining THOR installs, THOR Lens workflows, writing THOR plugins (v11+), and creating custom signatures/IOCs.

custom-signatures

9
from Nextron-Labs/thor-skill

Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.

cairo-contract-authoring

9
from cartridge-gg/nums

Guides Cairo smart-contract authoring on Starknet with language fundamentals, safe structure choices, component composition, and implementation workflow references.

mdanalysis

9
from tondevrel/scientific-agent-skills

Comprehensive guide for MDAnalysis - the Python library for analyzing molecular dynamics trajectories. Use for trajectory loading, RMSD/RMSF calculations, distance/angle/dihedral analysis, atom selections, hydrogen bonds, solvent accessible surface area, protein structure analysis, membrane analysis, and integration with Biopython. Essential for MD simulation analysis.

tachi-control-analysis

9
from davidmatousek/tachi

Domain knowledge for compensating controls analysis — control category definitions with detection patterns, evidence criteria with effectiveness classification, and residual risk calculation with recommendation generation. Loaded on-demand by the control-analyzer agent during codebase scanning and risk assessment phases.