v4.8.0 - 2023-01-31

Features and Enhancements

  • Update file report ingest to create it:sec:c2:config and risk:tool:software nodes for extracted malware configs.

v4.7.4 - 2023-01-05


  • Update inet:flow and inet:dns:request nodes created from contacted_domains and contacted_ips file relationships to set the :sandbox:file prop rather than :exe or :src:exe.

v4.7.3 - 2022-10-10


  • Set the corresponding hash property on file:bytes nodes created by virustotal.file.behavior when enriching by MD5 or SHA-1 hash.

v4.7.2 - 2022-10-07


  • Fix an issue with handling malformed historical WHOIS records.

v4.7.1 - 2022-10-07


  • Fix an issue with handling malformed WHOIS records.

v4.7.0 - 2022-09-22

Features and Enhancements

  • Add virustotal.enrich command for enriching nodes with VirusTotal report data.

  • Add virustotal.domain.relationships, virustotal.ip.relationships, and virustotal.url.relationships commands for retrieving object relationship data.

  • Add dependency requirements to package definition.

v4.6.0 - 2022-09-02

Features and Enhancements

  • Add Node Actions for virustotal.ssl.history and virustotal.whois.history.

  • Update the crypto:x509:certificate:serial behavior to reflect the modeling change in Synapse v2.104.0.

  • Update and to create it:exec:query nodes with -(found)> edges.


  • Fix example in User Guide documentation.

v4.5.0 - 2022-06-01

Features and Enhancements

  • Support Synapse-FileParser >= 4.0.0.


  • Fix an issue where additional permissions were required to use Synapse-FileParser.

v4.4.0 - 2022-05-11

Features and Enhancements

  • Add virustotal.file.relationships command for retrieving file relationship data.

  • Update to also pull contacted_ips, contacted_domains, and contacted_urls by default.

  • Update virustotal.urls to create inet:http:request nodes with additional HTTP response data if available.

  • Update virustotal.dlfiles to accept inet:url nodes.

  • Update virustotal.dlfiles to create inet:urlfile nodes for all inbound node types. inet:download nodes will no longer be created for inet:ipv4 nodes.

  • Cached API responses are now stored in the JsonStor instead of in nodedata.

  • Update sandbox data ingestion to prefer the :sandbox:file property over :exe where appropriate.

v4.3.2 - 2022-04-06


  • Fix an issue in response handling when deleting livehunt notifications.

  • Fix a pagination issue in livehunt queries.

v4.3.1 - 2022-04-06


  • Update page result limit for virustotal.livehunt.files queries.

v4.3.0 - 2022-04-05

Features and Enhancements

  • Add virustotal.ssl.history command for retrieving historical SSL certificates.

  • Add virustotal.whois.history command for retrieving historical WHOIS records.

  • Add virustotal.livehunt.files command for retrieving livehunt notifications.

  • Add virustotal.livehunt.notifications.delete command for deleting livehunt notifications.


  • Use correct meta:source node when generating userguide and normalize the :name field to the current convention.

  • Fix a typo in the virustotal.file.behavior command help.

  • Add missing -(refs)> edges from inet:search:query nodes to search results.

  • Update .seen on inet:url and inet:ipv4 nodes returned in search results when possible.

v4.2.0 - 2022-01-19

Features and Enhancements

  • Update it:host creation to use the :desc property to record host description rather than the deprecated :model property.

  • Add command which queries the /api/v3/search endpoint rather than the /api/v3/intelligence/search endpoint used by

  • Add ingest handlers for domain, ip, and url results returned by search queries.

v4.1.0 - 2022-01-04


  • Clarify warning message output for invalid API keys.


  • Deprecate the virustotal.setup.tagdns and virustotal.setup.tagip commands. The virustotal.file.behavior command will no longer apply tags configured by these commands to inet:flow nodes and the commands will be removed in v5.0.0.

v4.0.2 - 2021-11-02


  • Fix an issue where it:av:filehit nodes were not being created.

v4.0.1 - 2021-10-06


  • Add description to storm package

v4.0.0 - 2021-10-04

Features and Enhancements

  • Initial release of the Synapse-VirusTotal Power-Up v4.0.0

Updating from 3.x.x

The previous 3.x.x version of Synapse-VirusTotal was distributed as a Storm Service using a Docker container. This service must be removed from the Cortex prior to updating.

See the Admin Guide for details on setting up the API key and user permissions.