# Enabling Windows Thor Analysis

Initially, the first step is to go to "Settings & Reporting" -> "Integration Settings". After that, click "Thor License Management". This page allows Thor License file definitions. Click on the "+License" button.

A little modal will open. Choose the license type with two options; "Thor" or "Thor Lite". Define the license type and click on to save button.

<figure><img src="/files/dQx8LLiLPxb9Xy7kkrjX" alt=""><figcaption></figcaption></figure>

After adding a license, create a "Windows Thor Analysis Policy". Go to the "Rules & Policies" -> "Policy Management" and "Policy Rules". On this page, click the "+Policy" button to create a new policy.

On the new policy page, choose the module and type. Select "SIGMA & YARA", and choose between "Windows YARA/Thor Analysis" or "Windows Thor Lite Analysis". Give a name to the policy. The description is optional.

Select the Thor license that was created. After selecting the license, change the collection interval. The default value is 30 minutes. Then set "Collection Time Intervals", which means the policy will run between the interval. Please choose the collection frequency, the system can run this policy always, once a day, week, or month. It is recommended to run weekly.&#x20;

Please choose info, notice, warning, and alert options in the "Minimum Collection Level". With these options, the system can send the Thor logs for the specified level. The system can run only selected modules. Up to five modules should be selected.&#x20;

Select the quick mode for faster scanning. The "Get Shim Cache" option is optional. Users can add custom commands on "Custom Command". Finally, click on the "Save" button.

<figure><img src="/files/HqEIP6UZIoXBOlSa7CiL" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/l34P2DS0JhMzl5FYKDjt" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/BgYDdxk8VhIdVm09Rrd4" alt=""><figcaption></figcaption></figure>

Now add this policy to the policy group. Go to "Group Management" under the "Rules & Policies" -> "Policy Management". On the grid, the system has a base group, click on the three dots right side of the grid and click on edit.

<figure><img src="/files/0ErxmIRJGita71u1BIPO" alt=""><figcaption></figcaption></figure>

Scroll down and find the "Thor Policy". Select the policy just created. Scroll to the bottom of the page and click on the "Save" button.  It is possible to see the results on the "YARA/Thor Analysis" grid under the "Threat Hunting" -> "Analysis & Investigation" module. Use classification rules to eliminate the false positive items.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudcyte.com/getting-started/configuring-modules/network-security/enabling-windows-thor-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.