Nextron Thor APT Scanner
| Version | 0.0.1
|
| Subscription level What's this? |
Basic |
| Developed by What's this? |
Elastic |
| Ingestion method(s) | API |
| Minimum Kibana version(s) | 9.2.0 |
To use beta integrations, go to the Integrations page in Kibana, scroll down, and toggle on the Display beta integrations option.
Nextron Thor APT Scanner is a powerful threat hunting and incident response tool that provides comprehensive scanning capabilities for detecting advanced persistent threats (APTs), malware, and security vulnerabilities across Windows systems. The Nextron Thor APT Scanner integration enables you to consume and analyze Thor Cloud scan results within Elastic Security, providing centralized visibility into threat detection findings and facilitating automated incident response workflows.
The Nextron Thor APT Scanner integration collects one type of data:
- Thor Forwarding - Scan results and findings from Thor Cloud API, including detected threats, malware signatures, suspicious files, and security events identified during system scans.
This integration supports Elastic Agent-based data collection.
Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions.
The minimum kibana.version required is 9.1.3.
This integration has been tested against the Nextron Thor Cloud API.
- Access your Nextron Thor Cloud dashboard.
- Navigate to the API settings section.
- Copy the API Endpoint URL (default:
https://thor-cloud.nextron-services.com/api).
- In the Thor Cloud dashboard, navigate to General Settings > API Key.
- Click Generate.
- Copy the generated API key. You won't be able to copy it after this stage.
- In Kibana navigate to Management > Integrations.
- In the search top bar, type Nextron Thor APT Scanner.
- Select the Nextron Thor APT Scanner integration and add it.
- Configure the required integration parameters:
- API URL: The Thor Cloud API endpoint URL
- API Key: Your Thor Cloud API key
- Initial Interval: How far back to pull scan logs (default: 24h)
- Interval: Duration between API requests (default: 5m)
- Save the integration.
Note:
- Scan data is fetched based on the configured initial interval and polling frequency.
- The integration supports batch processing with configurable batch sizes for optimal performance.
Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.
Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
To completely set up the Nextron Thor APT Scanner integration:
Prepare Thor Cloud Access
- Log into your Nextron Thor Cloud dashboard
- Generate an API key from General Settings > API Key
- Note your API endpoint URL
Install Elastic Agent
- Follow the Elastic Agent installation guide
- Ensure the agent is properly enrolled in Fleet
Add the Integration
- Navigate to Kibana > Management > Integrations
- Search for "Nextron Thor APT Scanner"
- Click "Add Nextron Thor APT Scanner"
Configure Integration Settings
- Enter your Thor Cloud API URL
- Provide your API key
- Set initial interval (recommended: 24h for first run)
- Configure polling interval (recommended: 5m)
- Adjust batch size if needed (default: 100)
Deploy Configuration
- Review all settings
- Save and deploy the integration
- Monitor the agent logs for successful connection
Exported fields
| Field | Description | Type | Metric Type |
|---|---|---|---|
| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | |
| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters |
constant_keyword | |
| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters |
constant_keyword | |
| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | |
| ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. |
keyword | |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. |
keyword | |
| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. |
keyword | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. |
keyword | |
| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | |
| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update mtime. This implies ctime will be adjusted at the same time, since mtime is an attribute of the file. |
date | |
| file.group | Primary group name of the file. | keyword | |
| file.hash.md5 | MD5 hash. | keyword | |
| file.hash.sha1 | SHA1 hash. | keyword | |
| file.hash.sha256 | SHA256 hash. | keyword | |
| file.mtime | Last time the file content was modified. | date | |
| file.name | Name of the file including the extension, without the directory. | keyword | |
| file.owner | File owner's username. | keyword | |
| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | |
| file.path.text | Multi-field of file.path. |
match_only_text | |
| file.size | File size in bytes. Only relevant when file.type is "file". |
long | |
| group | Group owner of a file in a files array (Linux/Unix systems). | keyword | |
| input.type | Input type | keyword | |
| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in log.level. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are warn, err, i, informational. |
keyword | |
| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | |
| tags | List of keywords used to tag each event. | keyword | |
| thor.alerts | Number of alerts generated during the THOR scan. | long | counter |
| thor.command | Command line or executable path associated with a scheduled task, service, or process. | keyword | |
| thor.connection_count | Total number of network connections associated with a process. | long | gauge |
| thor.created | creation time | date | |
| thor.description | Description text for a service, file, or other system object. | keyword | |
| thor.duration | Duration of a THOR scan module execution in seconds. | long | |
| thor.enabled | Whether a scheduled task or service is enabled. | boolean | |
| thor.entry | Registry entry value or cache entry (e.g., URL in MS Office connection cache). | keyword | |
| thor.errors | Number of errors encountered during the THOR scan. | float | |
| thor.event_consumer | WMI event consumer configuration or command. | keyword | |
| thor.event_consumer_name | Name of a WMI event consumer used for persistence. | keyword | |
| thor.event_filter | WMI event filter query (e.g., WQL SELECT statement). | keyword | |
| thor.event_filter_name | Name of a WMI event filter used for persistence. | keyword | |
| thor.exe_group | Group owner of an executable file (Linux/Unix systems). | keyword | |
| thor.exe_magic | Detected file type based on magic bytes. | keyword | |
| thor.exe_mode | File permissions mode of an executable (Linux/Unix systems). | keyword | |
| thor.exe_owner | Owner of an executable file. | keyword | |
| thor.executable | Path to an executable file. | keyword | |
| thor.file.company | Company name from PE file metadata. | keyword | |
| thor.file.created | creation time of the file | date | |
| thor.file.description | File description from PE file metadata. | keyword | |
| thor.file.ext | File extension of a detected file. | keyword | |
| thor.file.first_bytes | First bytes of a file in hexadecimal format, often with ASCII representation. | keyword | |
| thor.file.imphash | Import hash (imphash) of a PE file, used for malware classification. | keyword | |
| thor.file.internal_name | Internal name from PE file metadata. | keyword | |
| thor.file.legal_copyright | Legal copyright information from PE file metadata. | keyword | |
| thor.file.original_name | Original filename from PE file metadata. | keyword | |
| thor.file.permissions | File permissions or access control list (ACL) information. | keyword | |
| thor.file.product | Product name from PE file metadata. | keyword | |
| thor.file.type | File type classification (e.g., EXE, DLL, UNKNOWN, Import). | keyword | |
| thor.files.company | Company name from PE file metadata in a files array. | keyword | |
| thor.files.created | creation time of the file | date | |
| thor.files.description | File description from PE file metadata in a files array. | keyword | |
| thor.files.exists | Whether a file exists on the filesystem (e.g., "yes", "no"). | keyword | |
| thor.files.first_bytes | First bytes of a file in hexadecimal format in a files array. | keyword | |
| thor.files.imphash | Import hash (imphash) of a PE file in a files array. | keyword | |
| thor.files.internal_name | Internal name from PE file metadata in a files array. | keyword | |
| thor.files.legal_copyright | Legal copyright information from PE file metadata in a files array. | keyword | |
| thor.files.md5 | MD5 hash of a file in a files array. | keyword | |
| thor.files.original_name | Original filename from PE file metadata in a files array. | keyword | |
| thor.files.owner | Owner of a file in a files array. | keyword | |
| thor.files.path | Full path to a file in a files array. | keyword | |
| thor.files.product | Product name from PE file metadata in a files array. | keyword | |
| thor.files.sha1 | SHA1 hash of a file in a files array. | keyword | |
| thor.files.sha256 | SHA256 hash of a file in a files array. | keyword | |
| thor.files.size | Size of a file in bytes in a files array. | long | |
| thor.files.type | File type classification in a files array (e.g., EXE, Windows At Job). | keyword | |
| thor.filter_type | Type of WMI event filter (e.g., NTEventLogEventConsumer). | keyword | |
| thor.full_name | Full name or display name of a user account. | keyword | |
| thor.groupid | Group ID (GID) of a user account (Linux/Unix systems). | keyword | |
| thor.hive | Path to a Windows registry hive file being analyzed. | keyword | |
| thor.home | Home directory path of a user account. | keyword | |
| thor.image.accessed | access time of the image | date | |
| thor.image.changed | Change time (ctime) of an image/executable file (Linux/Unix systems). | date | |
| thor.image.company | Company name from PE file metadata of an image/executable. | keyword | |
| thor.image.created | creation time of the image | date | |
| thor.image.description | File description from PE file metadata of an image/executable. | keyword | |
| thor.image.first_bytes | First bytes of an image/executable file in hexadecimal format. | keyword | |
| thor.image.group | Group owner of an image/executable file (Linux/Unix systems). | keyword | |
| thor.image.imphash | Import hash (imphash) of an image/executable PE file. | keyword | |
| thor.image.internal_name | Internal name from PE file metadata of an image/executable. | keyword | |
| thor.image.legal_copyright | Legal copyright information from PE file metadata of an image/executable. | keyword | |
| thor.image.md5 | MD5 hash of an image/executable file. | keyword | |
| thor.image.modified | modification time of the image | date | |
| thor.image.original_name | Original filename from PE file metadata of an image/executable. | keyword | |
| thor.image.owner | Owner of an image/executable file. | keyword | |
| thor.image.path | Full path to an image/executable file. | keyword | |
| thor.image.permissions | File permissions or access control list (ACL) of an image/executable. | keyword | |
| thor.image.product | Product name from PE file metadata of an image/executable. | keyword | |
| thor.image.sha1 | SHA1 hash of an image/executable file. | keyword | |
| thor.image.sha256 | SHA256 hash of an image/executable file. | keyword | |
| thor.image.size | Size of an image/executable file in bytes. | long | |
| thor.image.type | File type classification of an image/executable (e.g., EXE, DLL). | keyword | |
| thor.image_path | Image path or executable path for a Windows service. | keyword | |
| thor.job | Path to a Windows At Job (scheduled task) file. | keyword | |
| thor.key | Full path to a registry key or WMI binding key. | keyword | |
| thor.key_name | Name of a registry key or service name. | keyword | |
| thor.last_run | Last execution time of a scheduled task. | date | |
| thor.listen_ports | Network ports on which a process is listening. | keyword | |
| thor.logontype | Logon type for a scheduled task or service. | keyword | |
| thor.memory_usage | Memory usage information for a process or system. | keyword | |
| thor.modified | Modification time of a file, registry key, or other object. | date | |
| thor.name | Name of a scheduled task, service, or other system object. | keyword | |
| thor.next_run | Next scheduled execution time of a scheduled task. | date | |
| thor.notices | Number of notices generated during the THOR scan. | float | |
| thor.owner | Owner of a process, file, THOR license or other system object. | keyword | |
| thor.parent | Path to the parent process executable. | keyword | |
| thor.path | Path to a file, scheduled task, or other system object. | keyword | |
| thor.pid | Process ID (PID) of a running process. | long | |
| thor.ppid | Parent process ID (PPID) of a running process. | long | |
| thor.process_name | Name of a running process executable. | keyword | |
| thor.reason | Reason for a detection or alert (e.g., "Password is too short", "Port explicitly specified"). | keyword | |
| thor.reasons.matched.context | Contextual data surrounding a signature match (surrounding bytes or text). | keyword | |
| thor.reasons.matched.data | Actual data that matched a signature rule (matched string or pattern). | keyword | |
| thor.reasons.matched.offset | Byte offset within a file where a signature match occurred. | long | |
| thor.reasons.name | Name or description of a detection reason (e.g., YARA rule name with description). | keyword | |
| thor.reasons.score | Threat score assigned to a specific detection reason. | long | |
| thor.reasons.sigclass | Signature class or type (e.g., YARA Rule, Filename IOC, Sigma Rule). | keyword | |
| thor.reasons.signature.author | Author of a signature rule. | keyword | |
| thor.reasons.signature.ref | Reference or source of a signature rule (e.g., threat intelligence feed, research). | keyword | |
| thor.reasons.signature.ruledate | Date when a signature rule was created or last updated. | date | |
| thor.reasons.signature.rulename | Name of a signature rule (e.g., YARA rule name). | keyword | |
| thor.reasons.signature.tags | Tags associated with a signature rule (e.g., MITRE ATT&CK techniques, threat categories). | keyword | |
| thor.reasons.sigtype | Signature type classification (e.g., internal, custom). | keyword | |
| thor.run_as_group | Group under which a systemd service runs. | keyword | |
| thor.run_as_user | User account under which a systemd service runs. | keyword | |
| thor.runlevel | Run level or privilege level for a scheduled task (e.g., LeastPrivilege). | keyword | |
| thor.scan_id | Unique identifier for a THOR scan. | keyword | |
| thor.scanned_elements | Number of elements scanned with a module. | long | counter |
| thor.score | Threat score assigned to a detection (higher scores indicate higher severity). | long | |
| thor.service_name | Name or display name of a Windows service. | keyword | |
| thor.session | Session identifier for a process (e.g., Console, Services) | keyword | |
| thor.sha1 | SHA1 hash of a file. | keyword | |
| thor.shell | Login shell path for a user account (Linux/Unix systems). | keyword | |
| thor.start | Start time or start condition for a scheduled task. | date | |
| thor.start_type | Startup type of a Windows service (e.g., AUTO_START, MANUAL, DISABLED). | keyword | |
| thor.unit | Name of a systemd unit (Linux systems). | keyword | |
| thor.unit_group | Group owner of a systemd unit file (Linux systems). | keyword | |
| thor.unit_mode | File permissions mode of a systemd unit file (Linux systems). | keyword | |
| thor.unit_owner | Owner of a systemd unit file (Linux systems). | keyword | |
| thor.unit_path | Path to a systemd unit file (Linux systems). | keyword | |
| thor.warnings | Number of warnings generated during the THOR scan. | float |
Example
{
"@timestamp": "2025-11-10T17:52:49.000Z",
"agent": {
"ephemeral_id": "e54573c2-f5e4-4e78-b614-ad0d11b51769",
"id": "23617f49-e7ce-42ae-ba5b-26fbb5ae1a06",
"name": "elastic-agent-37213",
"type": "filebeat",
"version": "9.2.3"
},
"data_stream": {
"dataset": "nextron_thor_apt_scanner.thor_forwarding",
"namespace": "20381",
"type": "logs"
},
"ecs": {
"version": "9.2.0"
},
"elastic_agent": {
"id": "23617f49-e7ce-42ae-ba5b-26fbb5ae1a06",
"snapshot": false,
"version": "9.2.3"
},
"event": {
"category": [
"file"
],
"dataset": "nextron_thor_apt_scanner.thor_forwarding",
"ingested": "2026-02-10T08:51:53Z",
"kind": "event",
"module": "AtJobs",
"type": [
"info"
],
"version": "v2.0.0"
},
"host": {
"name": "myhostname"
},
"input": {
"type": "cel"
},
"log": {
"level": "Info"
},
"message": "At Job detected",
"related": {
"hosts": [
"myhostname"
]
},
"tags": [
"forwarded"
],
"thor": {
"command": "",
"job": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\Task Manager\\Interactive",
"logontype": "",
"runlevel": "",
"scan_id": "S-VavZi0stuDo"
},
"user": {
"name": ""
}
}
This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.
Changelog
| Version | Details | Minimum Kibana version |
|---|---|---|
| 0.0.1 | Enhancement (View pull request) Initial draft of the package |
— |