Faster. Cleaner. More focused review.

Reviewing large THOR scan reports can be time-consuming, especially when analysts need to quickly understand why a detection was triggered, identify the affected artifact, and separate signal from noise.

To make this process faster and more intuitive, we are introducing a redesigned log inspection experience in THOR Cloud. The new view helps analysts review findings more efficiently, understand detections faster, and navigate large reports with significantly less effort.

This is the first public iteration of a broader redesign effort currently ongoing in THOR Cloud. Our goal is to improve the analyst experience and make the review workflow more efficient without hiding important technical details.

Built for Real Investigation Workflows

The new log inspection view is designed for teams working with real scan results during incident response, compromise assessments, threat hunting, and routine endpoint reviews.

Whether analysts are reviewing a handful of suspicious findings or working through larger reports with many events, the new interface makes it easier to stay focused, maintain context, and move through findings more quickly.

Redesigned THOR Cloud Report View

The redesigned report view brings together filtering, event navigation, severity counters, event details, detection reasons, and matched strings in a single structured interface.

This gives analysts a clearer overview of the current report while keeping the most important review actions directly accessible.

Overview of the redesigned THOR Cloud log inspection view.

A More Condensed Event Layout

The new event layout is significantly more condensed and structured than the previous view.

Each event is organized into clearly separated sections. The event header contains key metadata such as score, module, event type, host, and timestamp. The subject area shows the affected artifact and relevant fields. The reasons section explains why the event was generated, including the rules and signatures that triggered the detection.

This structure makes it easier to scan through large reports, compare findings, and quickly understand both the affected artifact and the rationale behind the event without having to expand additional views or navigate away from the current context.

Condensed event layout with dedicated event header, subject, and detection reason sections.

Matched Strings Highlighted in Context

One of the most important improvements is the direct highlighting of matched strings.

When THOR reports a match, the relevant string is now highlighted directly in its surrounding context. This makes it easier to understand why an event was raised and how the match relates to the file, process, command line, registry value, or other artifact being reviewed.

This is especially useful when analyzing long command lines, script content, paths, or suspicious strings where the relevant part can otherwise be hard to spot.

Matched strings are highlighted directly within their surrounding context.

Favorite Fields Always in View

During incident response and compromise assessment work, analysts often need quick access to the most relevant information without repeatedly expanding events.

Each type of object in the report has a set of favorite fields that are always shown in the event overview. This ensures that important details remain visible while scrolling through findings and helps maintain context during review.

Analysts can customize these favorite fields by adding or removing fields based on their workflow and investigation needs. Whether you prefer to see hashes, file paths, command lines, scores, signatures, or other attributes first, the overview can be tailored accordingly.

Filtering Directly Inside the Report

The new report view allows analysts to filter events directly while reviewing a report.

Free-text filters can be added from the filter section. For field-specific filtering, analysts can hover over a field and select the filter icon to focus on a specific value.

It is also possible to highlight a string or substring with the mouse, right-click it, and filter the report based on the selected text. This is especially useful when working with long command lines, paths, script content, or other fields where only part of the value is relevant.

Create filters directly from selected values and text fragments.

Saved Filters and False Positive Filtering

Filters can also be saved and reused.

This is useful for teams that regularly review reports in a similar way, for example by focusing on high-priority events first, hiding known noise, or creating review presets for different investigation scenarios.

Saved filters help standardize review workflows and reduce repetitive manual steps.

In addition to saving filters for later use, the currently active filters can also be added directly to the THOR Cloud False Positive Filter Set. This allows matching events to be suppressed in future scans, helping teams reduce recurring noise and focus on relevant findings.

Save reusable filter sets and manage false-positive filtering workflows.

Key Benefits

• Review THOR reports faster through a more compact layout
• Understand detections without expanding additional views
• Identify matched strings directly in context
• Keep important object fields visible while scrolling
• Create filters directly from fields, values, and selected text
• Save reusable filter sets for recurring workflows
• Reduce noise by adding active filters to the False Positive Filter Set

First Step in a Larger Redesign Effort

This release is not the final state of the THOR Cloud report experience. It is the first public iteration of a larger redesign effort currently ongoing.

We are continuing to improve the way findings are displayed, filtered, prioritized, and reviewed in THOR Cloud. The new log inspection view gives us a foundation for additional usability improvements and workflow enhancements in upcoming releases.

Try the New Log Inspection View

The redesigned log inspection experience is available now in THOR Cloud and THOR Cloud Lite.

If you are already using THOR Cloud, open any recent scan report to explore the new interface.

If you are not using THOR Cloud yet, start with THOR Cloud Lite and experience the redesigned investigation workflow on your own systems within minutes.

Feedback Welcome

This redesign is only the first step.

We are actively working on additional improvements around report navigation, finding prioritization, filtering workflows, and analyst productivity.

If you have suggestions, missing fields, filter ideas, or workflow improvements you would like to see, please contact us. Your feedback helps us shape the next iterations of the THOR Cloud report experience.