Table: virustotal_domain - Query VirusTotal Domain Reports using SQL
VirusTotal is a free online service that analyzes files and URLs for viruses, worms, trojans and other kinds of malicious content. It aggregates many antivirus products and online scan engines to check for viruses that the user's own antivirus solution may have missed, or to verify against any false positives. Domain Reports in VirusTotal provide detailed information about a domain, including the detection of potentially malicious activities.
Table Usage Guide
The virustotal_domain
table provides insights into Domain Reports within VirusTotal. As a cybersecurity analyst, explore domain-specific details through this table, including detections, resolutions, and subdomains. Utilize it to uncover information about domains, such as those linked with malicious activities, the resolved IPs, and the detection of potentially harmful subdomains.
Important Notes
- You must specify the
id
(registered domain name) in thewhere
clause to query this table.
Examples
Get domain information
Explore the detailed information associated with a specific domain to understand its characteristics and potential security risks. This can be particularly useful for cybersecurity analysis and threat detection.
select *from virustotal_domainwhere id = 'steampipe.io';
select *from virustotal_domainwhere id = 'steampipe.io';
Schema for virustotal_domain
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
categories | jsonb | Mapping that relates categorisation services with the category it assigns the domain to. These services are, among others: Alexa, BitDefender, TrendMicro, Websense ThreatSeeker, etc. | |
creation_date | timestamp with time zone | Creation date extracted from the Domain's whois. | |
favicon | jsonb | Dictionary including difference hash and md5 hash of the domain's favicon. Only available for premium users. | |
id | text | = | The domain name to retrieve. |
jarm | text | JARM is an active Transport Layer Security (TLS) server fingerprint. | |
last_analysis_results | jsonb | Result from URL scanners. dict with scanner name as key and a dict with notes/result from that scanner as value. | |
last_analysis_stats | jsonb | Number of different results from this scans. | |
last_dns_records | jsonb | Domain's DNS records on its last scan. | |
last_dns_records_date | timestamp with time zone | Date when the dns records list was retrieved by VirusTotal. | |
last_https_certificate | jsonb | SSL Certificate object retrieved last time the domain was analysed. | |
last_https_certificate_date | timestamp with time zone | Date when the certificate was retrieved by VirusTotal. | |
last_modification_date | timestamp with time zone | Date when any of domain's information was last updated. | |
last_update_date | timestamp with time zone | Updated date extracted from whois. | |
popularity_ranks | jsonb | Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc. | |
registrar | text | Company that registered the domain. | |
reputation | jsonb | Domain's score calculated from the votes of the VirusTotal's community. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tags | jsonb | List of representative attributes. | |
total_votes | jsonb | Unweighted number of total votes from the community, divided into harmless and malicious. | |
whois | text | WHOIS information as returned from the pertinent whois server. | |
whois_date | timestamp with time zone | Date of the last update of the whois record in VirusTotal. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- virustotal
You can pass the configuration to the command with the --config
argument:
steampipe_export_virustotal --config '<your_config>' virustotal_domain