chore: thor cloud integration

index.rst

@@ -8,7 +8,7 @@ THOR with Microsoft Defender for Endpoint
 
    usage/requirements
    usage/thor-seed
-   usage/start-a-thor-scan
+   usage/thor-cloud
    usage/faqs
    usage/links-and-references
 

usage/faqs.rst

@@ -1,8 +1,11 @@
 FAQs
 ====
 
-Why does my scan suddenly terminate?
-------------------------------------
+THOR Seed
+---------
+
+Scan is terminating
+^^^^^^^^^^^^^^^^^^^
 
 Live response applies a rather disadvantages timeout for PowerShell
 scripts run within a Live Response session, which is 30 minutes by
@@ -38,8 +41,8 @@ retrieve your files and clean up the reports of the previous scan.
 
    THOR Seed after finished scan
 
-Why can't I see a progress indicator? 
---------------------------------------
+No Progress Indicator
+^^^^^^^^^^^^^^^^^^^^^
 
 The scripting environment doesn't give us the opportunity to report back
 any status information before the script terminates. All output written
@@ -49,8 +52,8 @@ although it appears earlier.
 Unfortunately, it is not possible to return information before the scan
 terminates.
 
-I cannot start a new THOR scan due to old log files?
-----------------------------------------------------
+Old log files prevent new scan
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 Simply run a cleanup before starting a new scan.
 
@@ -59,8 +62,8 @@ Simply run a cleanup before starting a new scan.
    C:\> run thor-seed.ps1 -parameters "-Cleanup"
 
 
-I can't start a scan and get the error "THOR already running", why?
--------------------------------------------------------------------
+THOR alreay running error
+^^^^^^^^^^^^^^^^^^^^^^^^^
 
 It is possible that you've interrupted a previous script run with CTRL+C
 and got back to the shell. In Live Response, sub processes started by
@@ -75,22 +78,5 @@ the thor64.exe process that still runs in the background. It will show
 you information on the log file and print commands that you can use to
 download the log file and HTML report once THOR finished its work.
 
-Does each scan use up one of my licenses? 
-------------------------------------------
-
-Once you generate a license for a system, this license has a certain
-lifetime (e.g. 48 hours). You can start as many scans within that
-lifetime without using a new license from your quota.
-
-THOR doesn't stop if the scan takes longer than the license lifetime.
-
-If you start a new scan on a system that has be scanned in the past and
-the old license is expired, a new license will be generated and count
-against the quota.
-
-Can I use my own IOCs and YARA signatures with THOR Seed? 
-----------------------------------------------------------
-
-Not yet but we'll add an option to the THOR Seed PowerShell script to
-download and use a ZIP archive with custom IOCs and YARA signatures from
-a user defined location.
+THOR Cloud
+----------

usage/requirements.rst

@@ -92,13 +92,18 @@ On Investigated Workstations
 .. list-table:: Table 3 - Remote Hosts
     :header-rows: 1
 
-    * - Remote Host
+    * - Variant
+      - Remote Host
       - Port
-    * - cloud.nextron-systems.com
+    * - THOR Seed
+      - cloud.nextron-systems.com
+      - 443/tcp
+    * - THOR Cloud
+      - thor-cloud.nextron-services.com
       - 443/tcp
 
 .. hint:: 
-    this FQDN resolves to multiple IP addresses. See https://www.nextron-systems.com/hosts/.
+    Abov FQDNs resolve to multiple IP addresses. See https://www.nextron-systems.com/hosts/.
 
 Web Proxies
 ^^^^^^^^^^^

usage/thor-cloud.rst

@@ -0,0 +1,64 @@
+THOR Cloud
+==========
+
+This section focuses on our online platform ``THOR Cloud``.
+
+THOR Cloud eliminates the need for on-premise systems for
+licensing and scanner package downloads. With THOR Cloud,
+all you need is a small yet powerful tool known as the THOR
+Cloud launcher. Simply bring it to your endpoint or allow
+end users to download and execute it themselves.
+
+Download THOR Cloud Launcher Script
+-----------------------------------
+
+Once you logged into your THOR Cloud account, create a new Campaign
+or use an existing one. In the Campaign details, download the Launcher
+in the top right corner. You need to download the Script for your Operating
+System, as the Live Response feature only allows the execution of scripts.
+
+.. figure:: ../images/thor-cloud-launcher-download.png
+   :alt: Download the THOR Cloud Launcher Script
+
+   Download the THOR Cloud Launcher Script
+
+Start a Live Response Session
+-----------------------------
+
+You find different locations in Microsoft Defender Security Center that
+allow you to initiate a Live Response session.
+
+.. figure:: ../images/initiate-live-response-session.png
+   :alt: Initiate Live Response Session
+
+   Initiate Live Response Session
+
+Upload THOR Cloud Launcher
+--------------------------
+
+Use the button in the upper right corner of the window to upload
+the THOR Cloud Launcher script into the Live Response script library.
+
+.. figure:: ../images/live-response-upload-script.png
+   :alt: Upload Button
+
+   Upload Button
+
+Make sure to check "Overwrite file" to replace an older version of THOR
+Seed in your library.
+
+.. figure:: ../images/upload-thor-cloud-launcher.png
+   :alt: Upload THOR Seed
+
+   Upload THOR Seed
+
+Run THOR Cloud Launcher
+-----------------------
+
+After uploading THOR Seed to the Live Response script library, you can
+start the script with the "run" command.
+
+.. figure:: ../images/run-thor-seed.png
+   :alt: Run thor-seed.ps1 in Live Response session
+
+   Run thor-seed.ps1 in Live Response session