Nextron Thor APT Scanner


Version	0.0.1 (View all)
Subscription level What's this?	Basic
Developed by What's this?	Elastic
Ingestion method(s)	API
Minimum Kibana version(s)	9.2.0

The Nextron Thor APT Scanner integration v0.0.1 is in beta

To use beta integrations, go to the Integrations page in Kibana, scroll down, and toggle on the Display beta integrations option.

Nextron Thor APT Scanner is a powerful threat hunting and incident response tool that provides comprehensive scanning capabilities for detecting advanced persistent threats (APTs), malware, and security vulnerabilities across Windows systems. The Nextron Thor APT Scanner integration enables you to consume and analyze Thor Cloud scan results within Elastic Security, providing centralized visibility into threat detection findings and facilitating automated incident response workflows.

Data streams

The Nextron Thor APT Scanner integration collects one type of data:

Thor Forwarding - Scan results and findings from Thor Cloud API, including detected threats, malware signatures, suspicious files, and security events identified during system scans.

Requirements

This integration supports Elastic Agent-based data collection.

Elastic Agent

Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions.

The minimum kibana.version required is 9.1.3.

This integration has been tested against the Nextron Thor Cloud API.

Setup

Get the Thor Cloud API URL

Access your Nextron Thor Cloud dashboard.
Navigate to the API settings section.
Copy the API Endpoint URL (default: https://thor-cloud.nextron-services.com/api).

Get the API Key

In the Thor Cloud dashboard, navigate to General Settings > API Key.
Click Generate.
Copy the generated API key. You won't be able to copy it after this stage.

Enable the integration in Elastic

In Kibana navigate to Management > Integrations.
In the search top bar, type Nextron Thor APT Scanner.
Select the Nextron Thor APT Scanner integration and add it.
Configure the required integration parameters:
- API URL: The Thor Cloud API endpoint URL
- API Key: Your Thor Cloud API key
- Initial Interval: How far back to pull scan logs (default: 24h)
- Interval: Duration between API requests (default: 5m)
Save the integration.

Note:

Scan data is fetched based on the configured initial interval and polling frequency.
The integration supports batch processing with configurable batch sizes for optimal performance.

Prepare Thor Cloud Access
- Log into your Nextron Thor Cloud dashboard
- Generate an API key from General Settings > API Key
- Note your API endpoint URL
Install Elastic Agent
- Follow the Elastic Agent installation guide
- Ensure the agent is properly enrolled in Fleet
Add the Integration
- Navigate to Kibana > Management > Integrations
- Search for "Nextron Thor APT Scanner"
- Click "Add Nextron Thor APT Scanner"
Configure Integration Settings
- Enter your Thor Cloud API URL
- Provide your API key
- Set initial interval (recommended: 24h for first run)
- Configure polling interval (recommended: 5m)
- Adjust batch size if needed (default: 100)
Deploy Configuration
- Review all settings
- Save and deploy the integration
- Monitor the agent logs for successful connection

Exported fields

Field	Description	Type	Metric Type
@timestamp	Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.	date
data_stream.dataset	The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters	constant_keyword
data_stream.namespace	A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters	constant_keyword
data_stream.type	An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.	constant_keyword
ecs.version	ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.	keyword
event.category	This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.	keyword
event.kind	This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not.	keyword
event.type	This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.	keyword
file.accessed	Last time the file was accessed. Note that not all filesystems keep track of access time.	date
file.ctime	Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.	date
file.group	Primary group name of the file.	keyword
file.hash.md5	MD5 hash.	keyword
file.hash.sha1	SHA1 hash.	keyword
file.hash.sha256	SHA256 hash.	keyword
file.mtime	Last time the file content was modified.	date
file.name	Name of the file including the extension, without the directory.	keyword
file.owner	File owner's username.	keyword
file.path	Full path to the file, including the file name. It should include the drive letter, when appropriate.	keyword
file.path.text	Multi-field of `file.path`.	match_only_text
file.size	File size in bytes. Only relevant when `file.type` is "file".	long
group	Group owner of a file in a files array (Linux/Unix systems).	keyword
input.type	Input type	keyword
log.level	Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`.	keyword
message	For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.	match_only_text
tags	List of keywords used to tag each event.	keyword
thor.alerts	Number of alerts generated during the THOR scan.	long	counter
thor.command	Command line or executable path associated with a scheduled task, service, or process.	keyword
thor.connection_count	Total number of network connections associated with a process.	long	gauge
thor.created	creation time	date
thor.description	Description text for a service, file, or other system object.	keyword
thor.duration	Duration of a THOR scan module execution in seconds.	long
thor.enabled	Whether a scheduled task or service is enabled.	boolean
thor.entry	Registry entry value or cache entry (e.g., URL in MS Office connection cache).	keyword
thor.errors	Number of errors encountered during the THOR scan.	float
thor.event_consumer	WMI event consumer configuration or command.	keyword
thor.event_consumer_name	Name of a WMI event consumer used for persistence.	keyword
thor.event_filter	WMI event filter query (e.g., WQL SELECT statement).	keyword
thor.event_filter_name	Name of a WMI event filter used for persistence.	keyword
thor.exe_group	Group owner of an executable file (Linux/Unix systems).	keyword
thor.exe_magic	Detected file type based on magic bytes.	keyword
thor.exe_mode	File permissions mode of an executable (Linux/Unix systems).	keyword
thor.exe_owner	Owner of an executable file.	keyword
thor.executable	Path to an executable file.	keyword
thor.file.company	Company name from PE file metadata.	keyword
thor.file.created	creation time of the file	date
thor.file.description	File description from PE file metadata.	keyword
thor.file.ext	File extension of a detected file.	keyword
thor.file.first_bytes	First bytes of a file in hexadecimal format, often with ASCII representation.	keyword
thor.file.imphash	Import hash (imphash) of a PE file, used for malware classification.	keyword
thor.file.internal_name	Internal name from PE file metadata.	keyword
thor.file.legal_copyright	Legal copyright information from PE file metadata.	keyword
thor.file.original_name	Original filename from PE file metadata.	keyword
thor.file.permissions	File permissions or access control list (ACL) information.	keyword
thor.file.product	Product name from PE file metadata.	keyword
thor.file.type	File type classification (e.g., EXE, DLL, UNKNOWN, Import).	keyword
thor.files.company	Company name from PE file metadata in a files array.	keyword
thor.files.created	creation time of the file	date
thor.files.description	File description from PE file metadata in a files array.	keyword
thor.files.exists	Whether a file exists on the filesystem (e.g., "yes", "no").	keyword
thor.files.first_bytes	First bytes of a file in hexadecimal format in a files array.	keyword
thor.files.imphash	Import hash (imphash) of a PE file in a files array.	keyword
thor.files.internal_name	Internal name from PE file metadata in a files array.	keyword
thor.files.legal_copyright	Legal copyright information from PE file metadata in a files array.	keyword
thor.files.md5	MD5 hash of a file in a files array.	keyword
thor.files.original_name	Original filename from PE file metadata in a files array.	keyword
thor.files.owner	Owner of a file in a files array.	keyword
thor.files.path	Full path to a file in a files array.	keyword
thor.files.product	Product name from PE file metadata in a files array.	keyword
thor.files.sha1	SHA1 hash of a file in a files array.	keyword
thor.files.sha256	SHA256 hash of a file in a files array.	keyword
thor.files.size	Size of a file in bytes in a files array.	long
thor.files.type	File type classification in a files array (e.g., EXE, Windows At Job).	keyword
thor.filter_type	Type of WMI event filter (e.g., NTEventLogEventConsumer).	keyword
thor.full_name	Full name or display name of a user account.	keyword
thor.groupid	Group ID (GID) of a user account (Linux/Unix systems).	keyword
thor.hive	Path to a Windows registry hive file being analyzed.	keyword
thor.home	Home directory path of a user account.	keyword
thor.image.accessed	access time of the image	date
thor.image.changed	Change time (ctime) of an image/executable file (Linux/Unix systems).	date
thor.image.company	Company name from PE file metadata of an image/executable.	keyword
thor.image.created	creation time of the image	date
thor.image.description	File description from PE file metadata of an image/executable.	keyword
thor.image.first_bytes	First bytes of an image/executable file in hexadecimal format.	keyword
thor.image.group	Group owner of an image/executable file (Linux/Unix systems).	keyword
thor.image.imphash	Import hash (imphash) of an image/executable PE file.	keyword
thor.image.internal_name	Internal name from PE file metadata of an image/executable.	keyword
thor.image.legal_copyright	Legal copyright information from PE file metadata of an image/executable.	keyword
thor.image.md5	MD5 hash of an image/executable file.	keyword
thor.image.modified	modification time of the image	date
thor.image.original_name	Original filename from PE file metadata of an image/executable.	keyword
thor.image.owner	Owner of an image/executable file.	keyword
thor.image.path	Full path to an image/executable file.	keyword
thor.image.permissions	File permissions or access control list (ACL) of an image/executable.	keyword
thor.image.product	Product name from PE file metadata of an image/executable.	keyword
thor.image.sha1	SHA1 hash of an image/executable file.	keyword
thor.image.sha256	SHA256 hash of an image/executable file.	keyword
thor.image.size	Size of an image/executable file in bytes.	long
thor.image.type	File type classification of an image/executable (e.g., EXE, DLL).	keyword
thor.image_path	Image path or executable path for a Windows service.	keyword
thor.job	Path to a Windows At Job (scheduled task) file.	keyword
thor.key	Full path to a registry key or WMI binding key.	keyword
thor.key_name	Name of a registry key or service name.	keyword
thor.last_run	Last execution time of a scheduled task.	date
thor.listen_ports	Network ports on which a process is listening.	keyword
thor.logontype	Logon type for a scheduled task or service.	keyword
thor.memory_usage	Memory usage information for a process or system.	keyword
thor.modified	Modification time of a file, registry key, or other object.	date
thor.name	Name of a scheduled task, service, or other system object.	keyword
thor.next_run	Next scheduled execution time of a scheduled task.	date
thor.notices	Number of notices generated during the THOR scan.	float
thor.owner	Owner of a process, file, THOR license or other system object.	keyword
thor.parent	Path to the parent process executable.	keyword
thor.path	Path to a file, scheduled task, or other system object.	keyword
thor.pid	Process ID (PID) of a running process.	long
thor.ppid	Parent process ID (PPID) of a running process.	long
thor.process_name	Name of a running process executable.	keyword
thor.reason	Reason for a detection or alert (e.g., "Password is too short", "Port explicitly specified").	keyword
thor.reasons.matched.context	Contextual data surrounding a signature match (surrounding bytes or text).	keyword
thor.reasons.matched.data	Actual data that matched a signature rule (matched string or pattern).	keyword
thor.reasons.matched.offset	Byte offset within a file where a signature match occurred.	long
thor.reasons.name	Name or description of a detection reason (e.g., YARA rule name with description).	keyword
thor.reasons.score	Threat score assigned to a specific detection reason.	long
thor.reasons.sigclass	Signature class or type (e.g., YARA Rule, Filename IOC, Sigma Rule).	keyword
thor.reasons.signature.author	Author of a signature rule.	keyword
thor.reasons.signature.ref	Reference or source of a signature rule (e.g., threat intelligence feed, research).	keyword
thor.reasons.signature.ruledate	Date when a signature rule was created or last updated.	date
thor.reasons.signature.rulename	Name of a signature rule (e.g., YARA rule name).	keyword
thor.reasons.signature.tags	Tags associated with a signature rule (e.g., MITRE ATT&CK techniques, threat categories).	keyword
thor.reasons.sigtype	Signature type classification (e.g., internal, custom).	keyword
thor.run_as_group	Group under which a systemd service runs.	keyword
thor.run_as_user	User account under which a systemd service runs.	keyword
thor.runlevel	Run level or privilege level for a scheduled task (e.g., LeastPrivilege).	keyword
thor.scan_id	Unique identifier for a THOR scan.	keyword
thor.scanned_elements	Number of elements scanned with a module.	long	counter
thor.score	Threat score assigned to a detection (higher scores indicate higher severity).	long
thor.service_name	Name or display name of a Windows service.	keyword
thor.session	Session identifier for a process (e.g., Console, Services)	keyword
thor.sha1	SHA1 hash of a file.	keyword
thor.shell	Login shell path for a user account (Linux/Unix systems).	keyword
thor.start	Start time or start condition for a scheduled task.	date
thor.start_type	Startup type of a Windows service (e.g., AUTO_START, MANUAL, DISABLED).	keyword
thor.unit	Name of a systemd unit (Linux systems).	keyword
thor.unit_group	Group owner of a systemd unit file (Linux systems).	keyword
thor.unit_mode	File permissions mode of a systemd unit file (Linux systems).	keyword
thor.unit_owner	Owner of a systemd unit file (Linux systems).	keyword
thor.unit_path	Path to a systemd unit file (Linux systems).	keyword
thor.warnings	Number of warnings generated during the THOR scan.	float

Example Event

		{
    "@timestamp": "2025-11-10T17:52:49.000Z",
    "agent": {
        "ephemeral_id": "e54573c2-f5e4-4e78-b614-ad0d11b51769",
        "id": "23617f49-e7ce-42ae-ba5b-26fbb5ae1a06",
        "name": "elastic-agent-37213",
        "type": "filebeat",
        "version": "9.2.3"
    },
    "data_stream": {
        "dataset": "nextron_thor_apt_scanner.thor_forwarding",
        "namespace": "20381",
        "type": "logs"
    },
    "ecs": {
        "version": "9.2.0"
    },
    "elastic_agent": {
        "id": "23617f49-e7ce-42ae-ba5b-26fbb5ae1a06",
        "snapshot": false,
        "version": "9.2.3"
    },
    "event": {
        "category": [
            "file"
        ],
        "dataset": "nextron_thor_apt_scanner.thor_forwarding",
        "ingested": "2026-02-10T08:51:53Z",
        "kind": "event",
        "module": "AtJobs",
        "type": [
            "info"
        ],
        "version": "v2.0.0"
    },
    "host": {
        "name": "myhostname"
    },
    "input": {
        "type": "cel"
    },
    "log": {
        "level": "Info"
    },
    "message": "At Job detected",
    "related": {
        "hosts": [
            "myhostname"
        ]
    },
    "tags": [
        "forwarded"
    ],
    "thor": {
        "command": "",
        "job": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\Task Manager\\Interactive",
        "logontype": "",
        "runlevel": "",
        "scan_id": "S-VavZi0stuDo"
    },
    "user": {
        "name": ""
    }
}
		
	

Screenshots

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.