You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
nextron_thor_apt_scanner: improve overview dashboard and THOR Cloud documentation
Rebuild the [Nextron Thor] Overview dashboard and revise integration docs
so analysts can triage THOR Cloud findings accurately and new users can
deploy the integration without gaps.
Dashboard and UX:
- Rebuild the overview dashboard with severity-based KPIs, findings
timeline, and top modules, hosts, and rules/signatures
- Add dashboard controls for scan ID, hostname, severity, and module
- Add a default Discover saved search for finding triage with
log.level, event.module, message, and thor.reasons.name columns
- Update the dashboard screenshot and exclude SVR00004 in validation.yml
Documentation:
- Rewrite the integration overview for THOR Cloud (platforms, data flow,
API compatibility, and THOR Cloud Launcher prerequisites)
- Document that encrypted scan reports are not ingested and how to
verify collection in Setup
[Nextron Thor APT Scanner](https://www.nextron-systems.com/thor/) is a powerful threat hunting and incident response tool that provides comprehensive scanning capabilities for detecting advanced persistent threats (APTs), malware, and security vulnerabilities across Windows systems. The Nextron Thor APT Scanner integration enables you to consume and analyze Thor Cloud scan results within Elastic Security, providing centralized visibility into threat detection findings and facilitating automated incident response workflows.
3
+
[Nextron THOR Cloud](https://www.nextron-systems.com/thor-cloud/) is a cloud-based compromise assessment platform that runs the THOR forensic scanner on endpoints through the THOR Cloud Launcher. This integration polls the THOR Cloud API and ingests scan findings into Elastic Security for centralized threat hunting and incident response.
4
4
5
5
## Agentless Enabled Integration
6
6
@@ -9,94 +9,90 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud
9
9
10
10
## Data streams
11
11
12
-
The Nextron Thor APT Scanner integration collects one type of data:
12
+
The Nextron THOR Cloud integration collects one type of data:
13
13
14
-
-**Thor Forwarding**- Scan results and findings from Thor Cloud API, including detected threats, malware signatures, suspicious files, and security events identified during system scans.
14
+
-**Thor Forwarding**— Scan results and findings from the THOR Cloud API, including detected threats, malware signatures, suspicious files, and security events identified during endpoint scans.
15
15
16
16
## Requirements
17
17
18
-
This integration supports Agentless and Elastic Agent-based data collection.
19
-
20
-
### Elastic Agent
21
-
22
-
For agent-based collection, install Elastic Agent using the [installation instructions](docs-content://reference/fleet/install-elastic-agents.md).
23
-
24
-
The minimum **kibana.version** required is **9.2.0**.
18
+
### THOR Cloud
25
19
26
-
This integration has been tested against the **Nextron Thor Cloud API**.
20
+
- A [THOR Cloud](https://www.nextron-systems.com/thor-cloud/) or [THOR Cloud Lite](https://www.nextron-systems.com/thor-cloud/) account with API access.
21
+
-**THOR Cloud Launcher** deployed on at least one endpoint and at least one completed scan before data appears in Elastic.
22
+
- Scan reports must be **unencrypted** (`logs_encrypted` must be `false`). This integration does not ingest encrypted THOR reports.
23
+
- Scans must include `thor.json` in `available_logs`.
24
+
- Supported endpoint platforms: **Windows**, **Linux**, and **macOS**.
27
25
28
-
## Setup
29
-
30
-
### Get the Thor Cloud API URL
31
-
32
-
1. Access your Nextron Thor Cloud dashboard.
33
-
2. Navigate to the API settings section.
34
-
3. Copy the **API Endpoint URL** (default: `https://thor-cloud.nextron-services.com/api`).
26
+
### Compatibility
35
27
36
-
### Get the API Key
28
+
This integration has been tested with:
37
29
38
-
1. In the Thor Cloud dashboard, navigate to **General Settings** > **API Key**.
39
-
2. Click **Generate**.
40
-
4. Copy the generated API key. You won't be able to copy it after this stage.
30
+
| Component | Minimum tested version |
31
+
| --- | --- |
32
+
| THOR Cloud API | v1 (`https://thor-cloud.nextron-services.com/ui/api-documentation`) |
33
+
| THOR scanner | 10.7.x |
34
+
| THOR JSON log format | v2 (`log_version: v2.0.0`) |
41
35
42
-
### Enable the integration in Elastic
36
+
THOR Cloud Lite is supported when scans produce unencrypted `thor.json` logs through the same API.
43
37
44
-
1. In Kibana navigate to **Management** > **Integrations**.
45
-
2. In the search top bar, type **Nextron Thor APT Scanner**.
46
-
3. Select the **Nextron Thor APT Scanner** integration and add it.
47
-
4. Configure the required integration parameters:
48
-
-**API URL**: The Thor Cloud API endpoint URL
49
-
-**API Key**: Your Thor Cloud API key
50
-
-**Initial Interval**: How far back to pull scan logs (default: 24h)
51
-
-**Interval**: Duration between API requests (default: 5m)
52
-
5. Save the integration.
38
+
### Elastic Stack
53
39
54
-
**Note:**
55
-
- Scan data is fetched based on the configured initial interval and polling frequency.
56
-
- The integration supports batch processing with configurable batch sizes for optimal performance.
57
-
58
-
## How do I deploy this integration?
59
-
60
-
### Agent-based deployment
61
-
62
-
Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
63
-
64
-
Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
40
+
This integration supports Agentless and Elastic Agent-based data collection.
65
41
66
-
### Onboard / configure
42
+
For agent-based collection, install Elastic Agent using the [installation instructions](docs-content://reference/fleet/install-elastic-agents.md).
67
43
68
-
To completely set up the Nextron Thor APT Scanner integration:
44
+
## How it works
69
45
70
-
1.**Prepare Thor Cloud Access**
71
-
- Log into your Nextron Thor Cloud dashboard
72
-
- Generate an API key from General Settings > API Key
73
-
- Note your API endpoint URL
46
+
Data flows from endpoints to Elastic as follows:
74
47
75
-
2.**Install Elastic Agent**
76
-
- Follow the [Elastic Agent installation guide](docs-content://reference/fleet/install-elastic-agents.md)
77
-
- Ensure the agent is properly enrolled in Fleet
48
+
1.**Endpoint** — THOR Cloud Launcher runs a THOR scan on the endpoint.
49
+
2.**THOR Cloud** — Scan results and `thor.json` logs are uploaded and stored.
50
+
3.**THOR Cloud API** — The integration polls `/v1/scan/search` and `/v1/scan/log` for new scans.
51
+
4.**Elastic Agent (CEL input)** — Retrieves logs over HTTPS and ships raw events.
52
+
5.**Elasticsearch data stream** — The `nextron_thor_apt_scanner.thor_forwarding` ingest pipeline normalizes events to ECS.
78
53
79
-
3.**Add the Integration**
80
-
- Navigate to Kibana > Management > Integrations
81
-
- Search for "Nextron Thor APT Scanner"
82
-
- Click "Add Nextron Thor APT Scanner"
54
+
The integration uses a CEL input to poll the THOR Cloud REST API. It does not require syslog or log file receivers on the Elastic Agent host.
83
55
84
-
4.**Configure Integration Settings**
85
-
- Enter your Thor Cloud API URL
86
-
- Provide your API key
87
-
- Set initial interval (recommended: 24h for first run)
88
-
- Configure polling interval (recommended: 5m)
89
-
- Adjust batch size if needed (default: 100)
56
+
## Setup
90
57
91
-
5.**Deploy Configuration**
92
-
- Review all settings
93
-
- Save and deploy the integration
94
-
- Monitor the agent logs for successful connection
58
+
### Step 1: Prepare THOR Cloud
59
+
60
+
1. Log into your [THOR Cloud dashboard](https://thor-cloud.nextron-services.com/).
61
+
2. Deploy the **THOR Cloud Launcher** on at least one endpoint (Windows, Linux, or macOS).
62
+
3. Run a scan and confirm it completes successfully.
63
+
4. In the THOR Cloud dashboard, verify the scan report is **not encrypted** and that `thor.json` is listed in the scan's available logs.
64
+
5. Navigate to **General Settings** → **API Key**, click **Generate**, and copy the API key. You will not be able to copy it after this step.
65
+
6. Note the **API Endpoint URL** (default: `https://thor-cloud.nextron-services.com/api`).
66
+
67
+
### Step 2: Add the integration in Elastic
68
+
69
+
1. In Kibana, navigate to **Management** → **Integrations**.
70
+
2. Search for **Nextron THOR Cloud** and add the integration.
71
+
3. Configure the required parameters:
72
+
-**API URL**: THOR Cloud API endpoint URL from Step 1
73
+
-**API Key**: API key from Step 1
74
+
-**Initial Interval**: How far back to pull scan logs on first run (default: `24h`)
75
+
-**Interval**: Duration between API requests (default: `5m`)
76
+
4. Save and deploy the integration.
77
+
78
+
### Step 3: Verify data collection
79
+
80
+
1. In **Discover**, open the `logs-*` data view.
81
+
2. Filter documents by `data_stream.dataset : "nextron_thor_apt_scanner.thor_forwarding"`.
82
+
3. Confirm events from your completed scan appear within the configured polling interval.
83
+
4. If no data appears, check the following:
84
+
- The scan completed with status `successful` or `failed` in THOR Cloud.
85
+
-**`logs_encrypted` is `false`** for the scan. Encrypted reports are skipped by this integration and will not produce events in Elastic.
86
+
-`thor.json` is listed in `available_logs` for the scan.
87
+
- The API key is valid and the **Initial Interval** covers the scan completion time.
95
88
89
+
**Note:**
90
+
- Scan data is fetched incrementally based on `last_launcher_update` and the configured initial interval.
91
+
- The integration supports batch processing with configurable batch sizes for optimal performance.
- description: Fix CEL cursor advancement when scans produce no events, improve deduplication and file path parsing, handle AtJobs multi-value start timestamps, and terminate processing on API error responses.
Copy file name to clipboardExpand all lines: packages/nextron_thor/docs/README.md
+64-68Lines changed: 64 additions & 68 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
-
# Nextron Thor APT Scanner
1
+
# Nextron THOR Cloud
2
2
3
-
[Nextron Thor APT Scanner](https://www.nextron-systems.com/thor/) is a powerful threat hunting and incident response tool that provides comprehensive scanning capabilities for detecting advanced persistent threats (APTs), malware, and security vulnerabilities across Windows systems. The Nextron Thor APT Scanner integration enables you to consume and analyze Thor Cloud scan results within Elastic Security, providing centralized visibility into threat detection findings and facilitating automated incident response workflows.
3
+
[Nextron THOR Cloud](https://www.nextron-systems.com/thor-cloud/) is a cloud-based compromise assessment platform that runs the THOR forensic scanner on endpoints through the THOR Cloud Launcher. This integration polls the THOR Cloud API and ingests scan findings into Elastic Security for centralized threat hunting and incident response.
4
4
5
5
## Agentless Enabled Integration
6
6
@@ -9,90 +9,86 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud
9
9
10
10
## Data streams
11
11
12
-
The Nextron Thor APT Scanner integration collects one type of data:
12
+
The Nextron THOR Cloud integration collects one type of data:
13
13
14
-
-**Thor Forwarding**- Scan results and findings from Thor Cloud API, including detected threats, malware signatures, suspicious files, and security events identified during system scans.
14
+
-**Thor Forwarding**— Scan results and findings from the THOR Cloud API, including detected threats, malware signatures, suspicious files, and security events identified during endpoint scans.
15
15
16
16
## Requirements
17
17
18
-
This integration supports Agentless and Elastic Agent-based data collection.
19
-
20
-
### Elastic Agent
21
-
22
-
For agent-based collection, install Elastic Agent using the [installation instructions](docs-content://reference/fleet/install-elastic-agents.md).
23
-
24
-
The minimum **kibana.version** required is **9.2.0**.
18
+
### THOR Cloud
25
19
26
-
This integration has been tested against the **Nextron Thor Cloud API**.
20
+
- A [THOR Cloud](https://www.nextron-systems.com/thor-cloud/) or [THOR Cloud Lite](https://www.nextron-systems.com/thor-cloud/) account with API access.
21
+
-**THOR Cloud Launcher** deployed on at least one endpoint and at least one completed scan before data appears in Elastic.
22
+
- Scan reports must be **unencrypted** (`logs_encrypted` must be `false`). This integration does not ingest encrypted THOR reports.
23
+
- Scans must include `thor.json` in `available_logs`.
24
+
- Supported endpoint platforms: **Windows**, **Linux**, and **macOS**.
27
25
28
-
## Setup
29
-
30
-
### Get the Thor Cloud API URL
31
-
32
-
1. Access your Nextron Thor Cloud dashboard.
33
-
2. Navigate to the API settings section.
34
-
3. Copy the **API Endpoint URL** (default: `https://thor-cloud.nextron-services.com/api`).
26
+
### Compatibility
35
27
36
-
### Get the API Key
28
+
This integration has been tested with:
37
29
38
-
1. In the Thor Cloud dashboard, navigate to **General Settings** > **API Key**.
39
-
2. Click **Generate**.
40
-
4. Copy the generated API key. You won't be able to copy it after this stage.
30
+
| Component | Minimum tested version |
31
+
| --- | --- |
32
+
| THOR Cloud API | v1 (`https://thor-cloud.nextron-services.com/ui/api-documentation`) |
33
+
| THOR scanner | 10.7.x |
34
+
| THOR JSON log format | v2 (`log_version: v2.0.0`) |
41
35
42
-
### Enable the integration in Elastic
36
+
THOR Cloud Lite is supported when scans produce unencrypted `thor.json` logs through the same API.
43
37
44
-
1. In Kibana navigate to **Management** > **Integrations**.
45
-
2. In the search top bar, type **Nextron Thor APT Scanner**.
46
-
3. Select the **Nextron Thor APT Scanner** integration and add it.
47
-
4. Configure the required integration parameters:
48
-
-**API URL**: The Thor Cloud API endpoint URL
49
-
-**API Key**: Your Thor Cloud API key
50
-
-**Initial Interval**: How far back to pull scan logs (default: 24h)
51
-
-**Interval**: Duration between API requests (default: 5m)
52
-
5. Save the integration.
38
+
### Elastic Stack
53
39
54
-
**Note:**
55
-
- Scan data is fetched based on the configured initial interval and polling frequency.
56
-
- The integration supports batch processing with configurable batch sizes for optimal performance.
57
-
58
-
## How do I deploy this integration?
59
-
60
-
### Agent-based deployment
61
-
62
-
Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
63
-
64
-
Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
40
+
This integration supports Agentless and Elastic Agent-based data collection.
65
41
66
-
### Onboard / configure
42
+
For agent-based collection, install Elastic Agent using the [installation instructions](docs-content://reference/fleet/install-elastic-agents.md).
67
43
68
-
To completely set up the Nextron Thor APT Scanner integration:
44
+
## How it works
69
45
70
-
1.**Prepare Thor Cloud Access**
71
-
- Log into your Nextron Thor Cloud dashboard
72
-
- Generate an API key from General Settings > API Key
73
-
- Note your API endpoint URL
46
+
Data flows from endpoints to Elastic as follows:
74
47
75
-
2.**Install Elastic Agent**
76
-
- Follow the [Elastic Agent installation guide](docs-content://reference/fleet/install-elastic-agents.md)
77
-
- Ensure the agent is properly enrolled in Fleet
48
+
1.**Endpoint** — THOR Cloud Launcher runs a THOR scan on the endpoint.
49
+
2.**THOR Cloud** — Scan results and `thor.json` logs are uploaded and stored.
50
+
3.**THOR Cloud API** — The integration polls `/v1/scan/search` and `/v1/scan/log` for new scans.
51
+
4.**Elastic Agent (CEL input)** — Retrieves logs over HTTPS and ships raw events.
52
+
5.**Elasticsearch data stream** — The `nextron_thor_apt_scanner.thor_forwarding` ingest pipeline normalizes events to ECS.
78
53
79
-
3.**Add the Integration**
80
-
- Navigate to Kibana > Management > Integrations
81
-
- Search for "Nextron Thor APT Scanner"
82
-
- Click "Add Nextron Thor APT Scanner"
54
+
The integration uses a CEL input to poll the THOR Cloud REST API. It does not require syslog or log file receivers on the Elastic Agent host.
83
55
84
-
4.**Configure Integration Settings**
85
-
- Enter your Thor Cloud API URL
86
-
- Provide your API key
87
-
- Set initial interval (recommended: 24h for first run)
88
-
- Configure polling interval (recommended: 5m)
89
-
- Adjust batch size if needed (default: 100)
56
+
## Setup
90
57
91
-
5.**Deploy Configuration**
92
-
- Review all settings
93
-
- Save and deploy the integration
94
-
- Monitor the agent logs for successful connection
58
+
### Step 1: Prepare THOR Cloud
59
+
60
+
1. Log into your [THOR Cloud dashboard](https://thor-cloud.nextron-services.com/).
61
+
2. Deploy the **THOR Cloud Launcher** on at least one endpoint (Windows, Linux, or macOS).
62
+
3. Run a scan and confirm it completes successfully.
63
+
4. In the THOR Cloud dashboard, verify the scan report is **not encrypted** and that `thor.json` is listed in the scan's available logs.
64
+
5. Navigate to **General Settings** → **API Key**, click **Generate**, and copy the API key. You will not be able to copy it after this step.
65
+
6. Note the **API Endpoint URL** (default: `https://thor-cloud.nextron-services.com/api`).
66
+
67
+
### Step 2: Add the integration in Elastic
68
+
69
+
1. In Kibana, navigate to **Management** → **Integrations**.
70
+
2. Search for **Nextron THOR Cloud** and add the integration.
71
+
3. Configure the required parameters:
72
+
-**API URL**: THOR Cloud API endpoint URL from Step 1
73
+
-**API Key**: API key from Step 1
74
+
-**Initial Interval**: How far back to pull scan logs on first run (default: `24h`)
75
+
-**Interval**: Duration between API requests (default: `5m`)
76
+
4. Save and deploy the integration.
77
+
78
+
### Step 3: Verify data collection
79
+
80
+
1. In **Discover**, open the `logs-*` data view.
81
+
2. Filter documents by `data_stream.dataset : "nextron_thor_apt_scanner.thor_forwarding"`.
82
+
3. Confirm events from your completed scan appear within the configured polling interval.
83
+
4. If no data appears, check the following:
84
+
- The scan completed with status `successful` or `failed` in THOR Cloud.
85
+
-**`logs_encrypted` is `false`** for the scan. Encrypted reports are skipped by this integration and will not produce events in Elastic.
86
+
-`thor.json` is listed in `available_logs` for the scan.
87
+
- The API key is valid and the **Initial Interval** covers the scan completion time.
95
88
89
+
**Note:**
90
+
- Scan data is fetched incrementally based on `last_launcher_update` and the configured initial interval.
91
+
- The integration supports batch processing with configurable batch sizes for optimal performance.
96
92
97
93
## Exported fields
98
94
**Exported fields**
@@ -417,4 +413,4 @@ An example event for `thor_forwarding` looks as following:
0 commit comments