Changelog
Synapse-VirusTotal Changelog
v5.5.0 - 2025-09-26
Features and Enhancements
Added additional language codes to the lookup table when ingesting PE resource details.
Updated unknown language warning to only occur once per code during ingests.
v5.4.0 - 2025-05-30
Automatic Migrations
Deleted
inet:web:acctandinet:web:attachmentnodes that were previously migrated in Synapse-VirusTotal v5.0.0.
v5.3.0 - 2025-03-07
Features and Enhancements
Added new endpoints section in command help to document the endpoints used by each command, accessible via the
--helpflag.Updated
virustotal.searchandvirustotal.file.searchto populate theit:exec:query:synuserproperty.
Bugfixes
Fixed a bug in the v5.0.0 migration of
inet:web:acctandinet:web:attachmentnodes where the migration would fail when the data being migrated was in a view other than the default view. If the migration failed, it would have failed early and without loss of data but may have created a strayinet:service:accountorinet:service:message:attachmentnode in the default view.Revised the examples for the
virustotal.url.relationshipscommand to use thecommentsanddownloaded_filesrelationships.Fixed an issue where file reports with missing SHA-256 hashes were not being ingested correctly.
v5.2.0 - 2025-02-19
Features and Enhancements
Updated ingest for domain and URL reports to set
it:av:scan:result:categoriesfor scanners which provide categorization information.
Bugfixes
Fixed an issue where file signing certificates with missing validity timestamps were not handled correctly.
v5.1.0 - 2025-02-05
Features and Enhancements
Added debug output for HTTP responses from calls to the VirusTotal API.
v5.0.0 - 2025-01-27
Automatic Migrations
Migrated existing
inet:web:acctandinet:web:attachmentnodes from ingesting submissions and comments toinet:service:account,inet:service:message, andinet:service:message:attachmentnodes.Migrated all
inet:ssl:certcreated by Synapse-VirusTotal toinet:tls:servercertnodes. The migratedinet:ssl:certnodes are removed by this migration if they don’t have any othermeta:source -(seen)>edges.Migrated all
it:av:filehitandmeta:rulenodes created by Synapse-VirusTotal toit:av:scan:resultnodes. The migratedit:av:filehitandmeta:rulenodes are removed by this migration.
Features and Enhancements
Updated ingest for submissions and comments to use
inet:service:*model elements instead ofinet:web:*elements.Updated Power-Up to make
inet:tls:servercertnodes instead of deprecatedinet:ssl:certnodes.Updated deprecated
$lib.list()usage to JSON style syntax.Deprecated
virustotal.migrationAvHit()on-demand migration function.
v4.19.1 - 2024-10-09
Bugfixes
Fix an issue in URL report ingest where the
.seentime onfile:bytesnodes associated with the SHA-256 hash of the last HTTP response was set incorrectly.
v4.19.0 - 2024-09-04
Features and Enhancements
Add
virustotal.iocstreamcommand for retrieving IoC stream notifications.
v4.18.1 - 2024-08-05
Bugfixes
Fix an issue where some validity dates for file signing certificates were not parsed correctly.
v4.18.0 - 2024-03-15
Features and Enhancements
Update
$lib.bytesusage with$lib.axonAPIs.Update the
virustotal.file.relationshipscommand to accepthash:md5,hash:sha1, andhash:sha256nodes as input.Create
crypto:x509:signedfileandfile:mime:pe:vsvers:infonodes usingsignature_infodata included in file reports.
Bugfixes
Fix an issue where SSL certificate ingest could raise an error when attempting to populate identity lists.
v4.17.0 - 2024-02-20
Features and Enhancements
Include the requested hash in the warning message for failed file downloads.
Update deprecated
$lib.dict()usage to JSON style syntax.
v4.16.0 - 2024-02-06
Features and Enhancements
Add a node action for
virustotal.enrich.Retrieve the
last_serving_ip_addressrelationship by default when retrieving URL reports using thevirustotal.enrichcommand.Add an on-demand migration for
it:av:filehitnodes and URL/FQDN/IPv4 AV scan results. See the Admin Guide for additional details.
v4.15.0 - 2024-01-05
Features and Enhancements
Update AV scan result ingest to use
it:av:scan:resultfor recording individual scan results and rollup stats.
v4.14.0 - 2023-12-08
Features and Enhancements
Update
virustotal.file.behaviorscommand to set both theit:exec:proc:cmdandit:exec:proc:nameproperties with the VirusTotal provided command-line information.
Bugfixes
Update
virustotal.domain.relationships,virustotal.file.relationships,virustotal.ip.relationships, andvirustotal.url.relationshipscommands to display an error message if no--alland no relationships are specified.
Deprecations
Caching has been removed from the following commands, so the
--asofargument has been deprecated and will no longer have any effect:virustotal.commfilesvirustotal.dlfilesvirustotal.domain.relationshipsvirustotal.enrichvirustotal.file.behaviorvirustotal.file.downloadvirustotal.file.itwurlsvirustotal.file.relationshipsvirustotal.file.reportvirustotal.file.searchvirustotal.ip.relationshipsvirustotal.pdnsvirustotal.searchvirustotal.ssl.historyvirustotal.url.relationshipsvirustotal.urlsvirustotal.whois.history
This release contains an automatic cache cleanup that will run when the package is first upgraded. This will remove cached API response data from the jsonstor for commands which no longer perform caching.
v4.13.0 - 2023-09-12
Features and Enhancements
Update file malware config ingest to model additional data provided from C2 config parsers.
Update ipwhois ingest to use
inet:whois:iprec:contactsinstead of the deprecatedinet:whois:iprec:registrantproperty.
v4.12.2 - 2023-09-05
Bugfixes
Fix an issue in file report ingest where IDS matches with no specified rule source would cause an error.
v4.12.1 - 2023-08-18
Bugfixes
Update AV scan ingest to use stable guid generation and avoid potentially creating duplicate
ou:organdps:contactnodes.
v4.12.0 - 2023-07-21
Features and Enhancements
Add a link to the VirusTotal documentation for additional information on using filters with the
virustotal.livehunt.filescommand.Update file submissions ingest to create
inet:web:attachmentnodes instead ofinet:web:filenodes.
v4.11.0 - 2023-06-19
Features and Enhancements
Mark the Synapse-FileParser dependency as optional.
v4.10.3 - 2023-03-30
Bugfixes
Fix an issue where the
.seenproperty on ingested nodes could be set incorrectly.
v4.10.2 - 2023-03-28
Bugfixes
Fix an issue where a warning would be produced when updating YARA rulesets despite the ruleset being updated correctly.
v4.10.1 - 2023-03-14
Bugfixes
Fix an issue where invalid process id values in results were not handled gracefully.
v4.10.0 - 2023-03-13
Features and Enhancements
Update
virustotal.file.behavioringest to createit:exec:reg:getnodes for registry keys which were opened.
Bugfixes
Fix an issue where
virustotal.file.behavioringest was expecting keys for registry information which is no longer present in the API.Update ingest to add
seenedges from the VirusTotalmeta:sourcenode to additional nodes where they were missing.
v4.9.0 - 2023-02-28
Features and Enhancements
Update file report ingest to model crowdsourced IDS and YARA match results.
Update HTTP error handling to display a more useful error message in cases where one is not provided in the API response.
Update domain, ip, and url report ingests to create
meta:rulenodes with-(matches)>edges to the corresponding node for web scanner results.Update file behavior ingest to create
it:exec:procnodes for process tree and command execution data.Add support for ingesting the comments relationship to the
virustotal.ip.relationships,virustotal.file.relationships,virustotal.domain.relationships, andvirustotal.url.relationshipscommands.
v4.8.0 - 2023-01-31
Features and Enhancements
Update file report ingest to create
it:sec:c2:configandrisk:tool:softwarenodes for extracted malware configs.
v4.7.4 - 2023-01-05
Bugfixes
Update
inet:flowandinet:dns:requestnodes created from contacted_domains and contacted_ips file relationships to set the:sandbox:fileprop rather than:exeor:src:exe.
v4.7.3 - 2022-10-10
Bugfixes
Set the corresponding hash property on
file:bytesnodes created byvirustotal.file.behaviorwhen enriching by MD5 or SHA-1 hash.
v4.7.2 - 2022-10-07
Bugfixes
Fix an issue with handling malformed historical WHOIS records.
v4.7.1 - 2022-10-07
Bugfixes
Fix an issue with handling malformed WHOIS records.
v4.7.0 - 2022-09-22
Features and Enhancements
Add
virustotal.enrichcommand for enriching nodes with VirusTotal report data.Add
virustotal.domain.relationships,virustotal.ip.relationships, andvirustotal.url.relationshipscommands for retrieving object relationship data.Add dependency requirements to package definition.
v4.6.0 - 2022-09-02
Features and Enhancements
Add Node Actions for
virustotal.ssl.historyandvirustotal.whois.history.Update the
crypto:x509:certificate:serialbehavior to reflect the modeling change in Synapsev2.104.0.Update
virustotal.searchandvirustotal.file.searchto createit:exec:querynodes with-(found)>edges.
Bugfixes
Fix example in User Guide documentation.
v4.5.0 - 2022-06-01
Features and Enhancements
Support Synapse-FileParser >= 4.0.0.
Bugfixes
Fix an issue where additional permissions were required to use Synapse-FileParser.
v4.4.0 - 2022-05-11
Features and Enhancements
Add
virustotal.file.relationshipscommand for retrieving file relationship data.Update
virustotal.file.reportto also pull contacted_ips, contacted_domains, and contacted_urls by default.Update
virustotal.urlsto createinet:http:requestnodes with additional HTTP response data if available.Update
virustotal.dlfilesto acceptinet:urlnodes.Update
virustotal.dlfilesto createinet:urlfilenodes for all inbound node types.inet:downloadnodes will no longer be created forinet:ipv4nodes.Cached API responses are now stored in the JsonStor instead of in nodedata.
Update sandbox data ingestion to prefer the
:sandbox:fileproperty over:exewhere appropriate.
v4.3.2 - 2022-04-06
Bugfixes
Fix an issue in response handling when deleting livehunt notifications.
Fix a pagination issue in livehunt queries.
v4.3.1 - 2022-04-06
Bugfixes
Update page result limit for
virustotal.livehunt.filesqueries.
v4.3.0 - 2022-04-05
Features and Enhancements
Add
virustotal.ssl.historycommand for retrieving historical SSL certificates.Add
virustotal.whois.historycommand for retrieving historical WHOIS records.Add
virustotal.livehunt.filescommand for retrieving livehunt notifications.Add
virustotal.livehunt.notifications.deletecommand for deleting livehunt notifications.
Bugfixes
Use correct
meta:sourcenode when generating userguide and normalize the:namefield to the current convention.Fix a typo in the
virustotal.file.behaviorcommand help.Add missing
-(refs)>edges frominet:search:querynodes to search results.Update
.seenoninet:urlandinet:ipv4nodes returned in search results when possible.
v4.2.0 - 2022-01-19
Features and Enhancements
Update
it:hostcreation to use the:descproperty to record host description rather than the deprecated:modelproperty.Add
virustotal.searchcommand which queries the /api/v3/search endpoint rather than the /api/v3/intelligence/search endpoint used byvirustotal.file.search.Add ingest handlers for domain, ip, and url results returned by search queries.
v4.1.0 - 2022-01-04
Bugfixes
Clarify warning message output for invalid API keys.
Deprecations
Deprecate the
virustotal.setup.tagdnsandvirustotal.setup.tagipcommands. Thevirustotal.file.behaviorcommand will no longer apply tags configured by these commands toinet:flownodes and the commands will be removed in v5.0.0.
v4.0.2 - 2021-11-02
Bugfixes
Fix an issue where
it:av:filehitnodes were not being created.
v4.0.1 - 2021-10-06
Bugfixes
Add description to storm package
v4.0.0 - 2021-10-04
Features and Enhancements
Initial release of the
Synapse-VirusTotalPower-Up v4.0.0
Updating from 3.x.x
The previous 3.x.x version of Synapse-VirusTotal was distributed as
a Storm Service using a Docker container. This service must be removed from
the Cortex prior to updating.
See the Admin Guide for details on setting up the API key and user permissions.