Connector vt livehunt #5432

gkallenborn · 2025-12-16T15:44:49Z

Proposed changes

I enhanced the VirusTotal Livehunt Notifications connector.

For each retrieved file, the code can now look for malware configurations and extract the C2 infrastructure data (domain, IP, URL) which are added to the STIX bundle.
Indicators can also be automatically created, based on the malware config observables.
The code can add a TLP marking to all STIX entities in the bundle.
It is possible to limit the number of notifications to process per run, which can be useful if the VT API quota is small.

This enhancement is totally optionnal and can be configured through 7 new parameters:

VIRUSTOTAL_LIVEHUNT_NOTIFICATIONS_GET_MALWARE_CONFIG=False # (Optional) Set to true to add config data of malware files like IPs and domains, if present. Only works if file creation is enabled. Default is false
VIRUSTOTAL_LIVEHUNT_NOTIFICATIONS_TLP=GREEN # (Optional) Set the TLP level for created entities, e.g. WHITE, GREEN, AMBER, AMBER_STRICT or RED
VIRUSTOTAL_LIVEHUNT_NOTIFICATIONS_CREATE_FILE_INDICATORS=False # (Optional) Set to true to create file indicators from the matched file. Default is false
VIRUSTOTAL_LIVEHUNT_NOTIFICATIONS_CREATE_DOMAIN_NAME_INDICATORS=False # (Optional) Set to true to create indicators from the domain names extracted from the malware config. Default is false
VIRUSTOTAL_LIVEHUNT_NOTIFICATIONS_CREATE_IP_INDICATORS=False # (Optional) Set to true to create indicators from the IP addresses extracted from the malware config. Default is false
VIRUSTOTAL_LIVEHUNT_NOTIFICATIONS_CREATE_URL_INDICATORS=False # (Optional) Set to true to create indicators from the URLs extracted from the malware config. Default is false
VIRUSTOTAL_LIVEHUNT_NOTIFICATIONS_LIMIT=100 # (Optional) Maximum number of notifications to process per run

Related issues

Checklist

I consider the submitted work as finished
I have signed my commits using GPG key.
I tested the code for its functionality using different use cases
I added/update the relevant documentation (either on github or on notion)
Where necessary I refactored code to improve the overall quality

Further comments

This reverts commit 67e2e51.

error correction

…or:wq

message

gkallenborn · 2025-12-16T16:33:15Z

Due to an error, the first commit is not verified, but I reverted it. So all commits are in fact verified.

gilbert and others added 30 commits November 17, 2025 18:11

mon commit signé

67e2e51

Revert "mon commit signé"

8faabf7

This reverts commit 67e2e51.

add parameter

99a0b37

add get_malware_config parameters

f5d8392

add extract_malware_config function

e77b685

add TLP parameter

4ed3f19

syntax correction

65e26c0

add IP entities

d9927a4

remove id generation method

8add880

WhistleBlowerDict cast

3c2908f

Correcting name ingestion

826647d

bug correction

827631b

add debug info

36a03ca

r Please enter the commit message for your changes. Lines starting

a3031ae

error correction

STIX error correction

df113c2

update STIX observable creation

fd8849a

STIX2 creation update

7bc472a

adding Indicator creation

9729937

update indicator creation

70a9e86

add domain name validation and hostname creation

69aedce

add Hostname mapping

6ff7402

add limit to VT query

b17c596

add limit

52581fb

adding notes to observables and indicators

e6c0436

recode malware config extraction

5a960dc

update Note creation

b2a8f2a

update Process function

c313e20

update Note creation

4f7bb0f

update config extraction

83fbee2

add debug line

3c43d45

gkallenborn added 23 commits November 25, 2025 12:07

update observable creation

8c15369

update label insertion

79df939

update malware config extraction

34dd281

add dates to relationships and indicators, add a limit parameter

9bc73fa

update builder imports

200ce05

update date format

03d2057

update incident creation

79a257f

update dates

5567bb5

update variable names, tlp usage, default parameters

970edf9

update logging info

edfb0e4

typo erased

0a63760

update docker compose and config files

acfec6d

prepare for release

4b575e6

update requirements

2a81f68

update requirements

7d43bce

update config.yml.sample and requirements.txt for VT Livehunt connect…

33c93d6

…or:wq

adding more indicator parameters

aec0cb1

update builder

9c36784

update requirements

a7f1810

add debug message

ee03eba

add debug

c9c0e07

message

add info logging for vt obj processing

b1cb46a

pylint formating

4d3af68

github-actions bot assigned gkallenborn Dec 16, 2025

Merge branch 'master' into connector-vt-livehunt

8900326

gkallenborn marked this pull request as ready for review December 16, 2025 15:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Connector vt livehunt #5432

Connector vt livehunt #5432

Uh oh!

gkallenborn commented Dec 16, 2025 •

edited

Loading

Uh oh!

gkallenborn commented Dec 16, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Connector vt livehunt #5432

Are you sure you want to change the base?

Connector vt livehunt #5432

Uh oh!

Conversation

gkallenborn commented Dec 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed changes

Related issues

Checklist

Further comments

Uh oh!

gkallenborn commented Dec 16, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

gkallenborn commented Dec 16, 2025 •

edited

Loading