Changelog

Synapse-VirusTotal Changelog

v5.4.0 - 2025-05-30

Automatic Migrations

  • Deleted inet:web:acct and inet:web:attachment nodes that were previously migrated in Synapse-VirusTotal v5.0.0.

v5.3.0 - 2025-03-07

Features and Enhancements

  • Added new endpoints section in command help to document the endpoints used by each command, accessible via the --help flag.

  • Updated virustotal.search and virustotal.file.search to populate the it:exec:query:synuser property.

Bugfixes

  • Fixed a bug in the v5.0.0 migration of inet:web:acct and inet:web:attachment nodes where the migration would fail when the data being migrated was in a view other than the default view. If the migration failed, it would have failed early and without loss of data but may have created a stray inet:service:account or inet:service:message:attachment node in the default view.

  • Revised the examples for the virustotal.url.relationships command to use the comments and downloaded_files relationships.

  • Fixed an issue where file reports with missing SHA-256 hashes were not being ingested correctly.

v5.2.0 - 2025-02-19

Features and Enhancements

  • Updated ingest for domain and URL reports to set it:av:scan:result:categories for scanners which provide categorization information.

Bugfixes

  • Fixed an issue where file signing certificates with missing validity timestamps were not handled correctly.

v5.1.0 - 2025-02-05

Features and Enhancements

  • Added debug output for HTTP responses from calls to the VirusTotal API.

v5.0.0 - 2025-01-27

Automatic Migrations

  • Migrated existing inet:web:acct and inet:web:attachment nodes from ingesting submissions and comments to inet:service:account, inet:service:message, and inet:service:message:attachment nodes.

  • Migrated all inet:ssl:cert created by Synapse-VirusTotal to inet:tls:servercert nodes. The migrated inet:ssl:cert nodes are removed by this migration if they don’t have any other meta:source -(seen)> edges.

  • Migrated all it:av:filehit and meta:rule nodes created by Synapse-VirusTotal to it:av:scan:result nodes. The migrated it:av:filehit and meta:rule nodes are removed by this migration.

Features and Enhancements

  • Updated ingest for submissions and comments to use inet:service:* model elements instead of inet:web:* elements.

  • Updated Power-Up to make inet:tls:servercert nodes instead of deprecated inet:ssl:cert nodes.

  • Updated deprecated $lib.list() usage to JSON style syntax.

  • Deprecated virustotal.migrationAvHit() on-demand migration function.

v4.19.1 - 2024-10-09

Bugfixes

  • Fix an issue in URL report ingest where the .seen time on file:bytes nodes associated with the SHA-256 hash of the last HTTP response was set incorrectly.

v4.19.0 - 2024-09-04

Features and Enhancements

  • Add virustotal.iocstream command for retrieving IoC stream notifications.

v4.18.1 - 2024-08-05

Bugfixes

  • Fix an issue where some validity dates for file signing certificates were not parsed correctly.

v4.18.0 - 2024-03-15

Features and Enhancements

  • Update $lib.bytes usage with $lib.axon APIs.

  • Update the virustotal.file.relationships command to accept hash:md5, hash:sha1, and hash:sha256 nodes as input.

  • Create crypto:x509:signedfile and file:mime:pe:vsvers:info nodes using signature_info data included in file reports.

Bugfixes

  • Fix an issue where SSL certificate ingest could raise an error when attempting to populate identity lists.

v4.17.0 - 2024-02-20

Features and Enhancements

  • Include the requested hash in the warning message for failed file downloads.

  • Update deprecated $lib.dict() usage to JSON style syntax.

v4.16.0 - 2024-02-06

Features and Enhancements

  • Add a node action for virustotal.enrich.

  • Retrieve the last_serving_ip_address relationship by default when retrieving URL reports using the virustotal.enrich command.

  • Add an on-demand migration for it:av:filehit nodes and URL/FQDN/IPv4 AV scan results. See the Admin Guide for additional details.

v4.15.0 - 2024-01-05

Features and Enhancements

  • Update AV scan result ingest to use it:av:scan:result for recording individual scan results and rollup stats.

v4.14.0 - 2023-12-08

Features and Enhancements

  • Update virustotal.file.behaviors command to set both the it:exec:proc:cmd and it:exec:proc:name properties with the VirusTotal provided command-line information.

Bugfixes

  • Update virustotal.domain.relationships, virustotal.file.relationships, virustotal.ip.relationships, and virustotal.url.relationships commands to display an error message if no --all and no relationships are specified.

Deprecations

  • Caching has been removed from the following commands, so the --asof argument has been deprecated and will no longer have any effect:

    virustotal.commfiles

    virustotal.dlfiles

    virustotal.domain.relationships

    virustotal.enrich

    virustotal.file.behavior

    virustotal.file.download

    virustotal.file.itwurls

    virustotal.file.relationships

    virustotal.file.report

    virustotal.file.search

    virustotal.ip.relationships

    virustotal.pdns

    virustotal.search

    virustotal.ssl.history

    virustotal.url.relationships

    virustotal.urls

    virustotal.whois.history

This release contains an automatic cache cleanup that will run when the package is first upgraded. This will remove cached API response data from the jsonstor for commands which no longer perform caching.

v4.13.0 - 2023-09-12

Features and Enhancements

  • Update file malware config ingest to model additional data provided from C2 config parsers.

  • Update ipwhois ingest to use inet:whois:iprec:contacts instead of the deprecated inet:whois:iprec:registrant property.

v4.12.2 - 2023-09-05

Bugfixes

  • Fix an issue in file report ingest where IDS matches with no specified rule source would cause an error.

v4.12.1 - 2023-08-18

Bugfixes

  • Update AV scan ingest to use stable guid generation and avoid potentially creating duplicate ou:org and ps:contact nodes.

v4.12.0 - 2023-07-21

Features and Enhancements

  • Add a link to the VirusTotal documentation for additional information on using filters with the virustotal.livehunt.files command.

  • Update file submissions ingest to create inet:web:attachment nodes instead of inet:web:file nodes.

v4.11.0 - 2023-06-19

Features and Enhancements

  • Mark the Synapse-FileParser dependency as optional.

v4.10.3 - 2023-03-30

Bugfixes

  • Fix an issue where the .seen property on ingested nodes could be set incorrectly.

v4.10.2 - 2023-03-28

Bugfixes

  • Fix an issue where a warning would be produced when updating YARA rulesets despite the ruleset being updated correctly.

v4.10.1 - 2023-03-14

Bugfixes

  • Fix an issue where invalid process id values in results were not handled gracefully.

v4.10.0 - 2023-03-13

Features and Enhancements

  • Update virustotal.file.behavior ingest to create it:exec:reg:get nodes for registry keys which were opened.

Bugfixes

  • Fix an issue where virustotal.file.behavior ingest was expecting keys for registry information which is no longer present in the API.

  • Update ingest to add seen edges from the VirusTotal meta:source node to additional nodes where they were missing.

v4.9.0 - 2023-02-28

Features and Enhancements

  • Update file report ingest to model crowdsourced IDS and YARA match results.

  • Update HTTP error handling to display a more useful error message in cases where one is not provided in the API response.

  • Update domain, ip, and url report ingests to create meta:rule nodes with -(matches)> edges to the corresponding node for web scanner results.

  • Update file behavior ingest to create it:exec:proc nodes for process tree and command execution data.

  • Add support for ingesting the comments relationship to the virustotal.ip.relationships, virustotal.file.relationships, virustotal.domain.relationships, and virustotal.url.relationships commands.

v4.8.0 - 2023-01-31

Features and Enhancements

  • Update file report ingest to create it:sec:c2:config and risk:tool:software nodes for extracted malware configs.

v4.7.4 - 2023-01-05

Bugfixes

  • Update inet:flow and inet:dns:request nodes created from contacted_domains and contacted_ips file relationships to set the :sandbox:file prop rather than :exe or :src:exe.

v4.7.3 - 2022-10-10

Bugfixes

  • Set the corresponding hash property on file:bytes nodes created by virustotal.file.behavior when enriching by MD5 or SHA-1 hash.

v4.7.2 - 2022-10-07

Bugfixes

  • Fix an issue with handling malformed historical WHOIS records.

v4.7.1 - 2022-10-07

Bugfixes

  • Fix an issue with handling malformed WHOIS records.

v4.7.0 - 2022-09-22

Features and Enhancements

  • Add virustotal.enrich command for enriching nodes with VirusTotal report data.

  • Add virustotal.domain.relationships, virustotal.ip.relationships, and virustotal.url.relationships commands for retrieving object relationship data.

  • Add dependency requirements to package definition.

v4.6.0 - 2022-09-02

Features and Enhancements

  • Add Node Actions for virustotal.ssl.history and virustotal.whois.history.

  • Update the crypto:x509:certificate:serial behavior to reflect the modeling change in Synapse v2.104.0.

  • Update virustotal.search and virustotal.file.search to create it:exec:query nodes with -(found)> edges.

Bugfixes

  • Fix example in User Guide documentation.

v4.5.0 - 2022-06-01

Features and Enhancements

  • Support Synapse-FileParser >= 4.0.0.

Bugfixes

  • Fix an issue where additional permissions were required to use Synapse-FileParser.

v4.4.0 - 2022-05-11

Features and Enhancements

  • Add virustotal.file.relationships command for retrieving file relationship data.

  • Update virustotal.file.report to also pull contacted_ips, contacted_domains, and contacted_urls by default.

  • Update virustotal.urls to create inet:http:request nodes with additional HTTP response data if available.

  • Update virustotal.dlfiles to accept inet:url nodes.

  • Update virustotal.dlfiles to create inet:urlfile nodes for all inbound node types. inet:download nodes will no longer be created for inet:ipv4 nodes.

  • Cached API responses are now stored in the JsonStor instead of in nodedata.

  • Update sandbox data ingestion to prefer the :sandbox:file property over :exe where appropriate.

v4.3.2 - 2022-04-06

Bugfixes

  • Fix an issue in response handling when deleting livehunt notifications.

  • Fix a pagination issue in livehunt queries.

v4.3.1 - 2022-04-06

Bugfixes

  • Update page result limit for virustotal.livehunt.files queries.

v4.3.0 - 2022-04-05

Features and Enhancements

  • Add virustotal.ssl.history command for retrieving historical SSL certificates.

  • Add virustotal.whois.history command for retrieving historical WHOIS records.

  • Add virustotal.livehunt.files command for retrieving livehunt notifications.

  • Add virustotal.livehunt.notifications.delete command for deleting livehunt notifications.

Bugfixes

  • Use correct meta:source node when generating userguide and normalize the :name field to the current convention.

  • Fix a typo in the virustotal.file.behavior command help.

  • Add missing -(refs)> edges from inet:search:query nodes to search results.

  • Update .seen on inet:url and inet:ipv4 nodes returned in search results when possible.

v4.2.0 - 2022-01-19

Features and Enhancements

  • Update it:host creation to use the :desc property to record host description rather than the deprecated :model property.

  • Add virustotal.search command which queries the /api/v3/search endpoint rather than the /api/v3/intelligence/search endpoint used by virustotal.file.search.

  • Add ingest handlers for domain, ip, and url results returned by search queries.

v4.1.0 - 2022-01-04

Bugfixes

  • Clarify warning message output for invalid API keys.

Deprecations

  • Deprecate the virustotal.setup.tagdns and virustotal.setup.tagip commands. The virustotal.file.behavior command will no longer apply tags configured by these commands to inet:flow nodes and the commands will be removed in v5.0.0.

v4.0.2 - 2021-11-02

Bugfixes

  • Fix an issue where it:av:filehit nodes were not being created.

v4.0.1 - 2021-10-06

Bugfixes

  • Add description to storm package

v4.0.0 - 2021-10-04

Features and Enhancements

  • Initial release of the Synapse-VirusTotal Power-Up v4.0.0

Updating from 3.x.x

The previous 3.x.x version of Synapse-VirusTotal was distributed as a Storm Service using a Docker container. This service must be removed from the Cortex prior to updating.

See the Admin Guide for details on setting up the API key and user permissions.