Skip to content

Commit f8ef9d7

Browse files
nextron_thor_apt_scanner: integration quality improvements - phase-2 (#19880)
nextron_thor_apt_scanner: improve overview dashboard and THOR Cloud documentation Rebuild the [Nextron Thor] Overview dashboard and revise integration docs so analysts can triage THOR Cloud findings accurately and new users can deploy the integration without gaps. Dashboard and UX: - Rebuild the overview dashboard with severity-based KPIs, findings timeline, and top modules, hosts, and rules/signatures - Add dashboard controls for scan ID, hostname, severity, and module - Add a default Discover saved search for finding triage with log.level, event.module, message, and thor.reasons.name columns - Update the dashboard screenshot and exclude SVR00004 in validation.yml Documentation: - Rewrite the integration overview for THOR Cloud (platforms, data flow, API compatibility, and THOR Cloud Launcher prerequisites) - Document that encrypted scan reports are not ingested and how to verify collection in Setup
1 parent 2c7d7ec commit f8ef9d7

10 files changed

Lines changed: 1018 additions & 512 deletions
Lines changed: 64 additions & 68 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
1-
# Nextron Thor APT Scanner
1+
# Nextron THOR Cloud
22

3-
[Nextron Thor APT Scanner](https://www.nextron-systems.com/thor/) is a powerful threat hunting and incident response tool that provides comprehensive scanning capabilities for detecting advanced persistent threats (APTs), malware, and security vulnerabilities across Windows systems. The Nextron Thor APT Scanner integration enables you to consume and analyze Thor Cloud scan results within Elastic Security, providing centralized visibility into threat detection findings and facilitating automated incident response workflows.
3+
[Nextron THOR Cloud](https://www.nextron-systems.com/thor-cloud/) is a cloud-based compromise assessment platform that runs the THOR forensic scanner on endpoints through the THOR Cloud Launcher. This integration polls the THOR Cloud API and ingests scan findings into Elastic Security for centralized threat hunting and incident response.
44

55
## Agentless Enabled Integration
66

@@ -9,94 +9,90 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud
99

1010
## Data streams
1111

12-
The Nextron Thor APT Scanner integration collects one type of data:
12+
The Nextron THOR Cloud integration collects one type of data:
1313

14-
- **Thor Forwarding** - Scan results and findings from Thor Cloud API, including detected threats, malware signatures, suspicious files, and security events identified during system scans.
14+
- **Thor Forwarding** Scan results and findings from the THOR Cloud API, including detected threats, malware signatures, suspicious files, and security events identified during endpoint scans.
1515

1616
## Requirements
1717

18-
This integration supports Agentless and Elastic Agent-based data collection.
19-
20-
### Elastic Agent
21-
22-
For agent-based collection, install Elastic Agent using the [installation instructions](docs-content://reference/fleet/install-elastic-agents.md).
23-
24-
The minimum **kibana.version** required is **9.2.0**.
18+
### THOR Cloud
2519

26-
This integration has been tested against the **Nextron Thor Cloud API**.
20+
- A [THOR Cloud](https://www.nextron-systems.com/thor-cloud/) or [THOR Cloud Lite](https://www.nextron-systems.com/thor-cloud/) account with API access.
21+
- **THOR Cloud Launcher** deployed on at least one endpoint and at least one completed scan before data appears in Elastic.
22+
- Scan reports must be **unencrypted** (`logs_encrypted` must be `false`). This integration does not ingest encrypted THOR reports.
23+
- Scans must include `thor.json` in `available_logs`.
24+
- Supported endpoint platforms: **Windows**, **Linux**, and **macOS**.
2725

28-
## Setup
29-
30-
### Get the Thor Cloud API URL
31-
32-
1. Access your Nextron Thor Cloud dashboard.
33-
2. Navigate to the API settings section.
34-
3. Copy the **API Endpoint URL** (default: `https://thor-cloud.nextron-services.com/api`).
26+
### Compatibility
3527

36-
### Get the API Key
28+
This integration has been tested with:
3729

38-
1. In the Thor Cloud dashboard, navigate to **General Settings** > **API Key**.
39-
2. Click **Generate**.
40-
4. Copy the generated API key. You won't be able to copy it after this stage.
30+
| Component | Minimum tested version |
31+
| --- | --- |
32+
| THOR Cloud API | v1 (`https://thor-cloud.nextron-services.com/ui/api-documentation`) |
33+
| THOR scanner | 10.7.x |
34+
| THOR JSON log format | v2 (`log_version: v2.0.0`) |
4135

42-
### Enable the integration in Elastic
36+
THOR Cloud Lite is supported when scans produce unencrypted `thor.json` logs through the same API.
4337

44-
1. In Kibana navigate to **Management** > **Integrations**.
45-
2. In the search top bar, type **Nextron Thor APT Scanner**.
46-
3. Select the **Nextron Thor APT Scanner** integration and add it.
47-
4. Configure the required integration parameters:
48-
- **API URL**: The Thor Cloud API endpoint URL
49-
- **API Key**: Your Thor Cloud API key
50-
- **Initial Interval**: How far back to pull scan logs (default: 24h)
51-
- **Interval**: Duration between API requests (default: 5m)
52-
5. Save the integration.
38+
### Elastic Stack
5339

54-
**Note:**
55-
- Scan data is fetched based on the configured initial interval and polling frequency.
56-
- The integration supports batch processing with configurable batch sizes for optimal performance.
57-
58-
## How do I deploy this integration?
59-
60-
### Agent-based deployment
61-
62-
Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
63-
64-
Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
40+
This integration supports Agentless and Elastic Agent-based data collection.
6541

66-
### Onboard / configure
42+
For agent-based collection, install Elastic Agent using the [installation instructions](docs-content://reference/fleet/install-elastic-agents.md).
6743

68-
To completely set up the Nextron Thor APT Scanner integration:
44+
## How it works
6945

70-
1. **Prepare Thor Cloud Access**
71-
- Log into your Nextron Thor Cloud dashboard
72-
- Generate an API key from General Settings > API Key
73-
- Note your API endpoint URL
46+
Data flows from endpoints to Elastic as follows:
7447

75-
2. **Install Elastic Agent**
76-
- Follow the [Elastic Agent installation guide](docs-content://reference/fleet/install-elastic-agents.md)
77-
- Ensure the agent is properly enrolled in Fleet
48+
1. **Endpoint** — THOR Cloud Launcher runs a THOR scan on the endpoint.
49+
2. **THOR Cloud** — Scan results and `thor.json` logs are uploaded and stored.
50+
3. **THOR Cloud API** — The integration polls `/v1/scan/search` and `/v1/scan/log` for new scans.
51+
4. **Elastic Agent (CEL input)** — Retrieves logs over HTTPS and ships raw events.
52+
5. **Elasticsearch data stream** — The `nextron_thor_apt_scanner.thor_forwarding` ingest pipeline normalizes events to ECS.
7853

79-
3. **Add the Integration**
80-
- Navigate to Kibana > Management > Integrations
81-
- Search for "Nextron Thor APT Scanner"
82-
- Click "Add Nextron Thor APT Scanner"
54+
The integration uses a CEL input to poll the THOR Cloud REST API. It does not require syslog or log file receivers on the Elastic Agent host.
8355

84-
4. **Configure Integration Settings**
85-
- Enter your Thor Cloud API URL
86-
- Provide your API key
87-
- Set initial interval (recommended: 24h for first run)
88-
- Configure polling interval (recommended: 5m)
89-
- Adjust batch size if needed (default: 100)
56+
## Setup
9057

91-
5. **Deploy Configuration**
92-
- Review all settings
93-
- Save and deploy the integration
94-
- Monitor the agent logs for successful connection
58+
### Step 1: Prepare THOR Cloud
59+
60+
1. Log into your [THOR Cloud dashboard](https://thor-cloud.nextron-services.com/).
61+
2. Deploy the **THOR Cloud Launcher** on at least one endpoint (Windows, Linux, or macOS).
62+
3. Run a scan and confirm it completes successfully.
63+
4. In the THOR Cloud dashboard, verify the scan report is **not encrypted** and that `thor.json` is listed in the scan's available logs.
64+
5. Navigate to **General Settings****API Key**, click **Generate**, and copy the API key. You will not be able to copy it after this step.
65+
6. Note the **API Endpoint URL** (default: `https://thor-cloud.nextron-services.com/api`).
66+
67+
### Step 2: Add the integration in Elastic
68+
69+
1. In Kibana, navigate to **Management****Integrations**.
70+
2. Search for **Nextron THOR Cloud** and add the integration.
71+
3. Configure the required parameters:
72+
- **API URL**: THOR Cloud API endpoint URL from Step 1
73+
- **API Key**: API key from Step 1
74+
- **Initial Interval**: How far back to pull scan logs on first run (default: `24h`)
75+
- **Interval**: Duration between API requests (default: `5m`)
76+
4. Save and deploy the integration.
77+
78+
### Step 3: Verify data collection
79+
80+
1. In **Discover**, open the `logs-*` data view.
81+
2. Filter documents by `data_stream.dataset : "nextron_thor_apt_scanner.thor_forwarding"`.
82+
3. Confirm events from your completed scan appear within the configured polling interval.
83+
4. If no data appears, check the following:
84+
- The scan completed with status `successful` or `failed` in THOR Cloud.
85+
- **`logs_encrypted` is `false`** for the scan. Encrypted reports are skipped by this integration and will not produce events in Elastic.
86+
- `thor.json` is listed in `available_logs` for the scan.
87+
- The API key is valid and the **Initial Interval** covers the scan completion time.
9588

89+
**Note:**
90+
- Scan data is fetched incrementally based on `last_launcher_update` and the configured initial interval.
91+
- The integration supports batch processing with configurable batch sizes for optimal performance.
9692

9793
## Exported fields
9894
{{fields "thor_forwarding"}}
9995

10096
## Example Event
10197

102-
{{event "thor_forwarding"}}
98+
{{event "thor_forwarding"}}

packages/nextron_thor/changelog.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,12 @@
11
# newer versions go on top
2+
- version: "0.5.0"
3+
changes:
4+
- description: Revise the integration overview for THOR Cloud accuracy, and document the encrypted report limitation.
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/19880
7+
- description: Improve the overview dashboard for accuracy, coverage, and control.
8+
type: enhancement
9+
link: https://github.com/elastic/integrations/pull/19880
210
- version: "0.4.0"
311
changes:
412
- description: Fix CEL cursor advancement when scans produce no events, improve deduplication and file path parsing, handle AtJobs multi-value start timestamps, and terminate processing on API error responses.

packages/nextron_thor/data_stream/thor_forwarding/manifest.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@ streams:
9090
required: true
9191
show_user: false
9292
title: Preserve duplicate custom fields
93-
description: Preserve thor.* fields that were copied to Elastic Common Schema (ECS) fields.
93+
description: Preserve `thor.*` fields that were copied to Elastic Common Schema (ECS) fields.
9494
type: bool
9595
multi: false
9696
default: false

packages/nextron_thor/docs/README.md

Lines changed: 64 additions & 68 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
1-
# Nextron Thor APT Scanner
1+
# Nextron THOR Cloud
22

3-
[Nextron Thor APT Scanner](https://www.nextron-systems.com/thor/) is a powerful threat hunting and incident response tool that provides comprehensive scanning capabilities for detecting advanced persistent threats (APTs), malware, and security vulnerabilities across Windows systems. The Nextron Thor APT Scanner integration enables you to consume and analyze Thor Cloud scan results within Elastic Security, providing centralized visibility into threat detection findings and facilitating automated incident response workflows.
3+
[Nextron THOR Cloud](https://www.nextron-systems.com/thor-cloud/) is a cloud-based compromise assessment platform that runs the THOR forensic scanner on endpoints through the THOR Cloud Launcher. This integration polls the THOR Cloud API and ingests scan findings into Elastic Security for centralized threat hunting and incident response.
44

55
## Agentless Enabled Integration
66

@@ -9,90 +9,86 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud
99

1010
## Data streams
1111

12-
The Nextron Thor APT Scanner integration collects one type of data:
12+
The Nextron THOR Cloud integration collects one type of data:
1313

14-
- **Thor Forwarding** - Scan results and findings from Thor Cloud API, including detected threats, malware signatures, suspicious files, and security events identified during system scans.
14+
- **Thor Forwarding** Scan results and findings from the THOR Cloud API, including detected threats, malware signatures, suspicious files, and security events identified during endpoint scans.
1515

1616
## Requirements
1717

18-
This integration supports Agentless and Elastic Agent-based data collection.
19-
20-
### Elastic Agent
21-
22-
For agent-based collection, install Elastic Agent using the [installation instructions](docs-content://reference/fleet/install-elastic-agents.md).
23-
24-
The minimum **kibana.version** required is **9.2.0**.
18+
### THOR Cloud
2519

26-
This integration has been tested against the **Nextron Thor Cloud API**.
20+
- A [THOR Cloud](https://www.nextron-systems.com/thor-cloud/) or [THOR Cloud Lite](https://www.nextron-systems.com/thor-cloud/) account with API access.
21+
- **THOR Cloud Launcher** deployed on at least one endpoint and at least one completed scan before data appears in Elastic.
22+
- Scan reports must be **unencrypted** (`logs_encrypted` must be `false`). This integration does not ingest encrypted THOR reports.
23+
- Scans must include `thor.json` in `available_logs`.
24+
- Supported endpoint platforms: **Windows**, **Linux**, and **macOS**.
2725

28-
## Setup
29-
30-
### Get the Thor Cloud API URL
31-
32-
1. Access your Nextron Thor Cloud dashboard.
33-
2. Navigate to the API settings section.
34-
3. Copy the **API Endpoint URL** (default: `https://thor-cloud.nextron-services.com/api`).
26+
### Compatibility
3527

36-
### Get the API Key
28+
This integration has been tested with:
3729

38-
1. In the Thor Cloud dashboard, navigate to **General Settings** > **API Key**.
39-
2. Click **Generate**.
40-
4. Copy the generated API key. You won't be able to copy it after this stage.
30+
| Component | Minimum tested version |
31+
| --- | --- |
32+
| THOR Cloud API | v1 (`https://thor-cloud.nextron-services.com/ui/api-documentation`) |
33+
| THOR scanner | 10.7.x |
34+
| THOR JSON log format | v2 (`log_version: v2.0.0`) |
4135

42-
### Enable the integration in Elastic
36+
THOR Cloud Lite is supported when scans produce unencrypted `thor.json` logs through the same API.
4337

44-
1. In Kibana navigate to **Management** > **Integrations**.
45-
2. In the search top bar, type **Nextron Thor APT Scanner**.
46-
3. Select the **Nextron Thor APT Scanner** integration and add it.
47-
4. Configure the required integration parameters:
48-
- **API URL**: The Thor Cloud API endpoint URL
49-
- **API Key**: Your Thor Cloud API key
50-
- **Initial Interval**: How far back to pull scan logs (default: 24h)
51-
- **Interval**: Duration between API requests (default: 5m)
52-
5. Save the integration.
38+
### Elastic Stack
5339

54-
**Note:**
55-
- Scan data is fetched based on the configured initial interval and polling frequency.
56-
- The integration supports batch processing with configurable batch sizes for optimal performance.
57-
58-
## How do I deploy this integration?
59-
60-
### Agent-based deployment
61-
62-
Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
63-
64-
Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
40+
This integration supports Agentless and Elastic Agent-based data collection.
6541

66-
### Onboard / configure
42+
For agent-based collection, install Elastic Agent using the [installation instructions](docs-content://reference/fleet/install-elastic-agents.md).
6743

68-
To completely set up the Nextron Thor APT Scanner integration:
44+
## How it works
6945

70-
1. **Prepare Thor Cloud Access**
71-
- Log into your Nextron Thor Cloud dashboard
72-
- Generate an API key from General Settings > API Key
73-
- Note your API endpoint URL
46+
Data flows from endpoints to Elastic as follows:
7447

75-
2. **Install Elastic Agent**
76-
- Follow the [Elastic Agent installation guide](docs-content://reference/fleet/install-elastic-agents.md)
77-
- Ensure the agent is properly enrolled in Fleet
48+
1. **Endpoint** — THOR Cloud Launcher runs a THOR scan on the endpoint.
49+
2. **THOR Cloud** — Scan results and `thor.json` logs are uploaded and stored.
50+
3. **THOR Cloud API** — The integration polls `/v1/scan/search` and `/v1/scan/log` for new scans.
51+
4. **Elastic Agent (CEL input)** — Retrieves logs over HTTPS and ships raw events.
52+
5. **Elasticsearch data stream** — The `nextron_thor_apt_scanner.thor_forwarding` ingest pipeline normalizes events to ECS.
7853

79-
3. **Add the Integration**
80-
- Navigate to Kibana > Management > Integrations
81-
- Search for "Nextron Thor APT Scanner"
82-
- Click "Add Nextron Thor APT Scanner"
54+
The integration uses a CEL input to poll the THOR Cloud REST API. It does not require syslog or log file receivers on the Elastic Agent host.
8355

84-
4. **Configure Integration Settings**
85-
- Enter your Thor Cloud API URL
86-
- Provide your API key
87-
- Set initial interval (recommended: 24h for first run)
88-
- Configure polling interval (recommended: 5m)
89-
- Adjust batch size if needed (default: 100)
56+
## Setup
9057

91-
5. **Deploy Configuration**
92-
- Review all settings
93-
- Save and deploy the integration
94-
- Monitor the agent logs for successful connection
58+
### Step 1: Prepare THOR Cloud
59+
60+
1. Log into your [THOR Cloud dashboard](https://thor-cloud.nextron-services.com/).
61+
2. Deploy the **THOR Cloud Launcher** on at least one endpoint (Windows, Linux, or macOS).
62+
3. Run a scan and confirm it completes successfully.
63+
4. In the THOR Cloud dashboard, verify the scan report is **not encrypted** and that `thor.json` is listed in the scan's available logs.
64+
5. Navigate to **General Settings****API Key**, click **Generate**, and copy the API key. You will not be able to copy it after this step.
65+
6. Note the **API Endpoint URL** (default: `https://thor-cloud.nextron-services.com/api`).
66+
67+
### Step 2: Add the integration in Elastic
68+
69+
1. In Kibana, navigate to **Management****Integrations**.
70+
2. Search for **Nextron THOR Cloud** and add the integration.
71+
3. Configure the required parameters:
72+
- **API URL**: THOR Cloud API endpoint URL from Step 1
73+
- **API Key**: API key from Step 1
74+
- **Initial Interval**: How far back to pull scan logs on first run (default: `24h`)
75+
- **Interval**: Duration between API requests (default: `5m`)
76+
4. Save and deploy the integration.
77+
78+
### Step 3: Verify data collection
79+
80+
1. In **Discover**, open the `logs-*` data view.
81+
2. Filter documents by `data_stream.dataset : "nextron_thor_apt_scanner.thor_forwarding"`.
82+
3. Confirm events from your completed scan appear within the configured polling interval.
83+
4. If no data appears, check the following:
84+
- The scan completed with status `successful` or `failed` in THOR Cloud.
85+
- **`logs_encrypted` is `false`** for the scan. Encrypted reports are skipped by this integration and will not produce events in Elastic.
86+
- `thor.json` is listed in `available_logs` for the scan.
87+
- The API key is valid and the **Initial Interval** covers the scan completion time.
9588

89+
**Note:**
90+
- Scan data is fetched incrementally based on `last_launcher_update` and the configured initial interval.
91+
- The integration supports batch processing with configurable batch sizes for optimal performance.
9692

9793
## Exported fields
9894
**Exported fields**
@@ -417,4 +413,4 @@ An example event for `thor_forwarding` looks as following:
417413
"scan_id": "S-VavZi0stuDo"
418414
}
419415
}
420-
```
416+
```
1.17 MB
Loading
-107 KB
Binary file not shown.

0 commit comments

Comments
 (0)