AgentSkillsCN

thor-lens

THOR Lens工作流,用于取证时间线分析。该Web界面可导入THOR v11审计追踪的JSONL日志,支持交互式探索。需配备THOR v11(v10版本不提供审计追踪功能)。

SKILL.md
--- frontmatter
name: thor-lens
description: THOR Lens workflows for forensic timeline analysis. A web UI that imports THOR v11 audit trail JSONL logs for interactive exploration. Requires THOR v11 (audit trail not available in v10).

THOR Lens Skill

THOR Lens is a forensic timeline viewer that transforms THOR v11 audit trail files into an interactive exploration interface.

Critical Boundary:

  • THOR Lens is a web UI application - users interact in the browser
  • The CLI handles build, import, and serve - not scanning
  • THOR Lens does not scan - it visualizes data from THOR scans
  • Requires THOR v11 audit trail output (v10 does not produce this format)
  • Not compatible with THOR Lite - Lite cannot generate audit trail output

Quickstart

bash
# 1. Clone and build
git clone https://github.com/NextronSystems/thor-lens.git
cd thor-lens
make build

# 2. Import an audit trail
./thorlens import --log /path/to/audit.jsonl --case mycase

# 3. Serve and open browser
./thorlens serve --case ./cases/mycase --port 8080
# Open http://127.0.0.1:8080

When to Use THOR Lens

  • Investigating timelines from THOR v11 scans
  • Correlating events across time ranges
  • Exploring high-score detections and their context
  • Annotating findings with tags, comments, bookmarks
  • MCP integration with Claude Code for AI-assisted analysis

References

Troubleshooting

Examples

Helper Scripts

Key Facts

ItemValue
Upstream repohttps://github.com/NextronSystems/thor-lens
Default port8080
Case storage./cases/<name>/
Input formatJSONL (.jsonl or .jsonl.gz)
MCP stdio./thorlens serve --case <path> --mcp-stdio
MCP HTTPhttp://localhost:8080/mcp (default)

Workflow Rules

  1. Always verify audit trail was generated with THOR v11 before importing
  2. Use --virtual-map and -j during THOR scans to preserve path/hostname context
  3. MCP stdio mode is recommended for Claude Code integration
  4. Never expose MCP HTTP endpoint publicly (no authentication)
  5. If user has THOR Lite, explain that Lens is not an option - Lite lacks audit trail capability. See THOR Lite limitations.