Skip to content

nextron_thor_apt_scanner: integration quality improvements - phase-2#19880

Merged
navnit-elastic merged 3 commits into
elastic:mainfrom
navnit-elastic:nextron_thor_apt_scanner-19162
Jul 1, 2026
Merged

nextron_thor_apt_scanner: integration quality improvements - phase-2#19880
navnit-elastic merged 3 commits into
elastic:mainfrom
navnit-elastic:nextron_thor_apt_scanner-19162

Conversation

@navnit-elastic

@navnit-elastic navnit-elastic commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

nextron_thor_apt_scanner: improve overview dashboard and THOR Cloud documentation

Rebuild the [Nextron Thor] Overview dashboard and revise integration docs
so analysts can triage THOR Cloud findings accurately and new users can
deploy the integration without gaps.

Dashboard and UX:
- Rebuild the overview dashboard with severity-based KPIs, findings
  timeline, and top modules, hosts, and rules/signatures
- Add dashboard controls for scan ID, hostname, severity, and module
- Add a default Discover saved search for finding triage with
  log.level, event.module, message, and thor.reasons.name columns
- Update the dashboard screenshot and exclude SVR00004 in validation.yml

Documentation:
- Rewrite the integration overview for THOR Cloud (platforms, data flow,
  API compatibility, and THOR Cloud Launcher prerequisites)
- Document that encrypted scan reports are not ingested and how to
  verify collection in Setup

Note

This PR addresses the workstream-3 and workstream-4 from #19162.

Review commit wise.

Workstream 3 — Analyst UX & Dashboards

  • Alert, Warning, and Notice counts on the dashboard match the actual indexed event counts.
  • The dashboard includes a detection timeline broken down by severity.
  • The dashboard shows top modules, top rules/signatures, and top hosts by finding count.
  • High-severity detections (Alerts) are visually distinct from lower-severity findings.
  • The default Discover view for THOR data shows log.level, event.module, message, and thor.reasons.name > as default columns.
  • The view is saved as the integration default so analysts see it without manual configuration.

Workstream 4 — Documentation & Configuration

  • Overview title correctly references THOR Cloud.
  • Minimum supported versions for THOR Cloud, THOR Cloud Lite, and the API are documented.
  • Data flow diagram or description covers: Endpoint ↔ THOR Cloud Launcher ↔ THOR Cloud API ↔ Elastic Agent CEL > input ↔ Elastic data stream.
  • Linux and macOS are included in the supported platforms.
  • Duplicate setup steps are removed.
  • The prerequisite to deploy THOR Cloud Launcher and complete a scan is clearly stated.
  • The preserve_duplicate_custom_fields description correctly references thor.* fields, not Wiz.
  • The Requirements section states that THOR Reports must not be encrypted for ingestion to succeed.
  • The Setup verification step includes a check or note about encrypted reports.
  • Users who configure the integration with encrypted reports receive a warning or clear diagnostic guidance.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

screencapture-localhost-5601-app-integrations-browse-2026-07-01-11_11_24 nextron_thor_apt_scanner-thor_forwarding-overview-dashboard screencapture-localhost-5601-app-integrations-detail-nextron-thor-apt-scanner-0-5-0-overview-2026-07-01-11_11_41

@navnit-elastic navnit-elastic self-assigned this Jun 30, 2026
@navnit-elastic navnit-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request dashboard Relates to a Kibana dashboard bug, enhancement, or modification. Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jun 30, 2026
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@navnit-elastic navnit-elastic force-pushed the nextron_thor_apt_scanner-19162 branch 3 times, most recently from 0d99e23 to 9337dda Compare June 30, 2026 10:00
@elastic-vault-github-plugin-prod

elastic-vault-github-plugin-prod Bot commented Jun 30, 2026

Copy link
Copy Markdown

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@navnit-elastic navnit-elastic marked this pull request as ready for review June 30, 2026 10:21
@navnit-elastic navnit-elastic requested review from a team as code owners June 30, 2026 10:21
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@vera-review-bot

Copy link
Copy Markdown

👀 I have started reviewing the PR

Comment thread packages/nextron_thor/_dev/build/docs/README.md Outdated
@@ -1,6 +1,6 @@
# Nextron Thor APT Scanner
# Nextron THOR Cloud

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 LOW _dev/build/docs/README.md:1

README heading name differs from package title

The README H1 is now 'Nextron THOR Cloud', but the package title in manifest.yml is 'Nextron Thor APT Scanner' and the in-doc setup instruction still tells users to search Kibana for 'Nextron Thor APT Scanner'. The same integration is therefore referred to by two different display names, which is confusing for users matching the doc against what appears in Fleet.

Recommendation:

Align the README heading with the package title shown in Kibana (or update the manifest title if a rebrand is intended). For example, keep the registered name in the heading:

# Nextron Thor APT Scanner

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the package title in manifest.yml to 'Nextron THOR Cloud'.

@navnit-elastic navnit-elastic force-pushed the nextron_thor_apt_scanner-19162 branch from 9337dda to 3f50775 Compare June 30, 2026 12:02
@vera-review-bot

Copy link
Copy Markdown

👀 I have started reviewing the PR

@vera-review-bot

Copy link
Copy Markdown

Vera Review Bot

For the current commit state, I did not find any issues.


🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@efd6 efd6 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nits only

Comment thread packages/nextron_thor/changelog.yml Outdated
- description: Revise the integration overview for THOR Cloud accuracy, and document the encrypted report limitation.
type: enhancement
link: https://github.com/elastic/integrations/pull/19880
- description: Improve the [Nextron Thor] Overview dashboard for accuracy, coverage, and control.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- description: Improve the [Nextron Thor] Overview dashboard for accuracy, coverage, and control.
- description: Improve the overview dashboard for accuracy, coverage, and control.

This integration supports Agentless and Elastic Agent-based data collection.

Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
The minimum **kibana.version** required is **9.2.0**.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need this; it is already in the manifest.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, this might get stale with the Kibana version change in the manifest.

@vera-review-bot

Copy link
Copy Markdown

👀 I have started reviewing the PR

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

✅ All changelog entries have the correct PR link.

@vera-review-bot

Copy link
Copy Markdown

Vera Review Bot

For the current commit state, I did not find any issues.


🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

💚 Build Succeeded

History

cc @navnit-elastic

@mergify

mergify Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@navnit-elastic navnit-elastic merged commit f8ef9d7 into elastic:main Jul 1, 2026
13 checks passed
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

Package nextron_thor_apt_scanner - 0.5.0 containing this change is available at https://epr.elastic.co/package/nextron_thor_apt_scanner/0.5.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:nextron_thor_apt_scanner Nextron THOR Cloud Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants