THOR-Util with HTML Report Generation

by Jun 20, 2018

The new version of “thor-util” (used with THOR/SPARK) / “spark-core-util” (used with SPARK Core) support a feature that allows a user to convert any scanner log file into a convenient report. 

  • Convert THOR / SPARK / SPARK Core scan logs into HTML reports
  • Convert a single text log file into an HTML report
  • Convert multiple log files (50 max.) in a directory into a single HTML report 
  • Provide a file with filters to suppress false positives in the reports
  • Even LOKI logs can be converted (no support)
  • Hash values linked to Virustotal searches
  • IP values linked to VirusTotal searches
  • Header sections linked to elements via ankers

You can access this feature in the upcoming enterprise products (THOR 8.47.2 and SPARK 1.13) and the free product SPARK Core (SPARK Core 1.13). 

The following screenshot shows a typical text log file. It can be processed in log analysis solutions but it is difficult to read for an analyst. Most analysts search these log files for “(Alert|Warning):” or use grep to get the most relevant messages.

Our tools “thor-util” and “spark-core-util” will help you with this task.

Generate an HTML report for a single log file

thor-util report --logfile PROMETHEUS_thor.log
Generate an HTML report for multiple log files

thor-util report --logdir ./logs

You can also provide a file with regular expressions that are applied during log parsing as filters to suppress false positives in the reports. 

The new tools will be in all productive packages at the end of this week. 

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Newsletter

New blog posts
(~1 email/month)

GDPR Cookie Consent with Real Cookie Banner Experienced a Breach?