THOR Lens Skill
THOR Lens is a forensic timeline viewer that transforms THOR v11 audit trail files into an interactive exploration interface.
Critical Boundary:
- •THOR Lens is a web UI application - users interact in the browser
- •The CLI handles build, import, and serve - not scanning
- •THOR Lens does not scan - it visualizes data from THOR scans
- •Requires THOR v11 audit trail output (v10 does not produce this format)
- •Not compatible with THOR Lite - Lite cannot generate audit trail output
Quickstart
bash
# 1. Clone and build git clone https://github.com/NextronSystems/thor-lens.git cd thor-lens make build # 2. Import an audit trail ./thorlens import --log /path/to/audit.jsonl --case mycase # 3. Serve and open browser ./thorlens serve --case ./cases/mycase --port 8080 # Open http://127.0.0.1:8080
When to Use THOR Lens
- •Investigating timelines from THOR v11 scans
- •Correlating events across time ranges
- •Exploring high-score detections and their context
- •Annotating findings with tags, comments, bookmarks
- •MCP integration with Claude Code for AI-assisted analysis
References
- •Quickstart - Get running in 5 minutes
- •Build & Prerequisites - Go, Node.js, make requirements
- •Import & Cases - Importing audit trails, case structure
- •Serve & UI - Web server, UI features, keyboard shortcuts
- •MCP Integration - Claude Code setup, MCP tools
- •Audit Trail Generation - THOR v11 commands for audit trail
Troubleshooting
- •Common Issues - Build, import, serve problems
- •Empty UI - Why the timeline shows nothing
- •MCP Issues - Connection and configuration problems
Examples
- •End-to-End Local - Full workflow on local machine
- •Case from Mounted Image - Forensic image workflow
- •Case from SSHFS - Remote system via SSH mount
Helper Scripts
- •scripts/validate_audit_trail.sh - Check audit trail file validity
- •scripts/case_inventory.sh - List case contents and stats
Key Facts
| Item | Value |
|---|---|
| Upstream repo | https://github.com/NextronSystems/thor-lens |
| Default port | 8080 |
| Case storage | ./cases/<name>/ |
| Input format | JSONL (.jsonl or .jsonl.gz) |
| MCP stdio | ./thorlens serve --case <path> --mcp-stdio |
| MCP HTTP | http://localhost:8080/mcp (default) |
Workflow Rules
- •Always verify audit trail was generated with THOR v11 before importing
- •Use
--virtual-mapand-jduring THOR scans to preserve path/hostname context - •MCP stdio mode is recommended for Claude Code integration
- •Never expose MCP HTTP endpoint publicly (no authentication)
- •If user has THOR Lite, explain that Lens is not an option - Lite lacks audit trail capability. See THOR Lite limitations.