THOR Log Analysis Skill
Goal: turn raw THOR output into an investigation plan.
Analysis Approach
THOR performs live forensic analysis and highlights suspicious elements using signatures. The analyst's job is to evaluate these findings using additional data sources and context.
Triage Priority
- •Alerts first (score 81+) - High-confidence malicious findings
- •Warnings second (score 60-80) - Medium-confidence suspicious activity
- •High-signal Notices (score 40-59) - YARA matches, known-bad hashes
- •Low-signal Notices - Anomaly scores, generic patterns
Key Principle: High Quantity Reduces Relevance
In contrast to firewall logs, a high number of a particular THOR finding decreases its relevance:
- •If detected on 100+ endpoints → likely false positive
- •If detected on 1-30 endpoints → more likely significant
- •Exceptions: confirmed malware campaigns targeting many systems
Analysis Methods
Two recommended approaches (often combined):
- •Sort by score (descending) - Process top-scoring events down to score 80
- •Analyze by module - Then switch to module-based analysis with relevant columns
Example workflow:
- •Filter to Alerts and Warnings
- •Process top scores first
- •Group by module (FileScan, ProcessCheck, etc.)
- •Select characteristic fields per module (e.g., FILE + MAIN_REASON for FileScan)
Rules
- •Group by detection type/module (YARA, Sigma, IOC, Anomaly) and by file/path
- •For each relevant finding: explain what it is, why it triggered, and what to verify next
- •Be explicit when something is likely benign (common false positives)
- •Use external tools (VirusTotal, Valhalla, Hybrid Analysis) to verify findings
References
- •Scoring and Priorities - Score levels, triage order
- •Common False Positives - Known FP patterns by module
- •Module Notes - Understanding each THOR module
- •Attribute Evaluation - How to assess finding attributes
- •Analysis Tools - External tools for verification
Helper Script
If user provides a log file path, run scripts/summarize_thor_log.py to extract a compact summary.
Output Format
- •Summary (5-15 lines): What's going on, what stands out
- •Findings table: Score, type/module, target, why it matters
- •Next steps: 3-7 concrete follow-ups
Quick Assessment Questions
For each finding, ask:
- •Is the file digitally signed by a trusted vendor?
- •Is it in an expected location for that software?
- •Does the user's role justify having this tool?
- •Does VirusTotal show low/zero detections?
- •Has this file been in place for a long time unchanged?
If YES to most → Likely FP, document and filter. If NO to most → Treat as suspicious, investigate further.