Table: virustotal_domain - Query VirusTotal Domain Reports using SQL

VirusTotal is a free online service that analyzes files and URLs for viruses, worms, trojans and other kinds of malicious content. It aggregates many antivirus products and online scan engines to check for viruses that the user's own antivirus solution may have missed, or to verify against any false positives. Domain Reports in VirusTotal provide detailed information about a domain, including the detection of potentially malicious activities.

Table Usage Guide

The virustotal_domain table provides insights into Domain Reports within VirusTotal. As a cybersecurity analyst, explore domain-specific details through this table, including detections, resolutions, and subdomains. Utilize it to uncover information about domains, such as those linked with malicious activities, the resolved IPs, and the detection of potentially harmful subdomains.

Important Notes

You must specify the id (registered domain name) in the where clause to query this table.

Examples

Get domain information

Explore the detailed information associated with a specific domain to understand its characteristics and potential security risks. This can be particularly useful for cybersecurity analysis and threat detection.

select
  *
from
  virustotal_domain
where
  id = 'steampipe.io';

select
  *
from
  virustotal_domain
where
  id = 'steampipe.io';

Schema for virustotal_domain

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
categories	jsonb		Mapping that relates categorisation services with the category it assigns the domain to. These services are, among others: Alexa, BitDefender, TrendMicro, Websense ThreatSeeker, etc.
creation_date	timestamp with time zone		Creation date extracted from the Domain's whois.
favicon	jsonb		Dictionary including difference hash and md5 hash of the domain's favicon. Only available for premium users.
id	text	=	The domain name to retrieve.
jarm	text		JARM is an active Transport Layer Security (TLS) server fingerprint.
last_analysis_results	jsonb		Result from URL scanners. dict with scanner name as key and a dict with notes/result from that scanner as value.
last_analysis_stats	jsonb		Number of different results from this scans.
last_dns_records	jsonb		Domain's DNS records on its last scan.
last_dns_records_date	timestamp with time zone		Date when the dns records list was retrieved by VirusTotal.
last_https_certificate	jsonb		SSL Certificate object retrieved last time the domain was analysed.
last_https_certificate_date	timestamp with time zone		Date when the certificate was retrieved by VirusTotal.
last_modification_date	timestamp with time zone		Date when any of domain's information was last updated.
last_update_date	timestamp with time zone		Updated date extracted from whois.
popularity_ranks	jsonb		Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc.
registrar	text		Company that registered the domain.
reputation	jsonb		Domain's score calculated from the votes of the VirusTotal's community.
tags	jsonb		List of representative attributes.
total_votes	jsonb		Unweighted number of total votes from the community, divided into harmless and malicious.
whois	text		WHOIS information as returned from the pertinent whois server.
whois_date	timestamp with time zone		Date of the last update of the whois record in VirusTotal.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- virustotal

You can pass the configuration to the command with the --config argument:

steampipe_export_virustotal --config '<your_config>' virustotal_domain