nextronsystems/thor-log-analysis
thor-log-analysis/SKILL.md
Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.
$ install --global
skillsauthnpx skillsauth add nextronsystems/thor-skill thor-log-analysisInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 8, 2026, 2:34 AM34.6s7 files scanned
SKILL.md
- name:
- thor-log-analysis
- description:
- Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.
THOR Log Analysis Skill
Goal: turn raw THOR output into an investigation plan.
Analysis Approach
THOR performs live forensic analysis and highlights suspicious elements using signatures. The analyst's job is to evaluate these findings using additional data sources and context.
Triage Priority
- Alerts first (score 81+) - High-confidence malicious findings
- Warnings second (score 60-80) - Medium-confidence suspicious activity
- High-signal Notices (score 40-59) - YARA matches, known-bad hashes
- Low-signal Notices - Anomaly scores, generic patterns
Key Principle: High Quantity Reduces Relevance
In contrast to firewall logs, a high number of a particular THOR finding decreases its relevance:
- If detected on 100+ endpoints → likely false positive
- If detected on 1-30 endpoints → more likely significant
- Exceptions: confirmed malware campaigns targeting many systems
Analysis Methods
Two recommended approaches (often combined):
- Sort by score (descending) - Process top-scoring events down to score 80
- Analyze by module - Then switch to module-based analysis with relevant columns
Example workflow:
- Filter to Alerts and Warnings
- Process top scores first
- Group by module (FileScan, ProcessCheck, etc.)
- Select characteristic fields per module (e.g., FILE + MAIN_REASON for FileScan)
Rules
- Group by detection type/module (YARA, Sigma, IOC, Anomaly) and by file/path
- For each relevant finding: explain what it is, why it triggered, and what to verify next
- Be explicit when something is likely benign (common false positives)
- Use external tools (VirusTotal, Valhalla, Hybrid Analysis) to verify findings
References
- Scoring and Priorities - Score levels, triage order
- Common False Positives - Known FP patterns by module
- Module Notes - Understanding each THOR module
- Attribute Evaluation - How to assess finding attributes
- Analysis Tools - External tools for verification
Helper Script
If user provides a log file path, run scripts/summarize_thor_log.py to extract a compact summary.
Output Format
- Summary (5-15 lines): What's going on, what stands out
- Findings table: Score, type/module, target, why it matters
- Next steps: 3-7 concrete follow-ups
Quick Assessment Questions
For each finding, ask:
- Is the file digitally signed by a trusted vendor?
- Is it in an expected location for that software?
- Does the user's role justify having this tool?
- Does VirusTotal show low/zero detections?
- Has this file been in place for a long time unchanged?
If YES to most → Likely FP, document and filter. If NO to most → Treat as suspicious, investigate further.
Related Skills
nextronsystems/thor-troubleshooting
data-ai
VerifiedTrustedCommunity
Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-scan
content-media
VerifiedTrustedCommunity
Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-plugins
tools
VerifiedTrustedCommunity
Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-maintenance
development
VerifiedTrustedCommunity
--- name: thor-maintenance description: Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation. --- # THOR Maintenance Skill Rules - Be precise about thor-util verbs: - update = signatures - upgrade = program + signatures, keep config - download = full pack incl config (offline use case) - Prefer stable signatures; mention sigdev only for urg
9SKILL.mdUpdated Apr 8, 2026