1. Introduction

THOR log files are designed to provide as much information on a detected object as possible. However, the THOR scanner is designed to evaluate an object offline without any further data sources aside from the local signature sets. Many log messages must be evaluated by an analyst that has access to other data sources and platforms.

This document is meant for analysts with the task to analyze THOR log files. Each chapter contains guidelines to process messages of a certain module. Please see chapter Tools for Event Analysis for an overview of tools to evaluate the events generated by THOR. This is not an exhaustive list and some tools might be outdate/non-existent at some point. It is important to keep up to date with the latest tools.