turbot/virustotal
steampipe plugin install virustotal

Table: virustotal_domain - Query VirusTotal Domain Reports using SQL

VirusTotal is a free online service that analyzes files and URLs for viruses, worms, trojans and other kinds of malicious content. It aggregates many antivirus products and online scan engines to check for viruses that the user's own antivirus solution may have missed, or to verify against any false positives. Domain Reports in VirusTotal provide detailed information about a domain, including the detection of potentially malicious activities.

Table Usage Guide

The virustotal_domain table provides insights into Domain Reports within VirusTotal. As a cybersecurity analyst, explore domain-specific details through this table, including detections, resolutions, and subdomains. Utilize it to uncover information about domains, such as those linked with malicious activities, the resolved IPs, and the detection of potentially harmful subdomains.

Important Notes

  • You must specify the id (registered domain name) in the where clause to query this table.

Examples

Get domain information

Explore the detailed information associated with a specific domain to understand its characteristics and potential security risks. This can be particularly useful for cybersecurity analysis and threat detection.

select
*
from
virustotal_domain
where
id = 'steampipe.io';
select
*
from
virustotal_domain
where
id = 'steampipe.io';

Schema for virustotal_domain

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
categoriesjsonbMapping that relates categorisation services with the category it assigns the domain to. These services are, among others: Alexa, BitDefender, TrendMicro, Websense ThreatSeeker, etc.
creation_datetimestamp with time zoneCreation date extracted from the Domain's whois.
faviconjsonbDictionary including difference hash and md5 hash of the domain's favicon. Only available for premium users.
idtext=The domain name to retrieve.
jarmtextJARM is an active Transport Layer Security (TLS) server fingerprint.
last_analysis_resultsjsonbResult from URL scanners. dict with scanner name as key and a dict with notes/result from that scanner as value.
last_analysis_statsjsonbNumber of different results from this scans.
last_dns_recordsjsonbDomain's DNS records on its last scan.
last_dns_records_datetimestamp with time zoneDate when the dns records list was retrieved by VirusTotal.
last_https_certificatejsonbSSL Certificate object retrieved last time the domain was analysed.
last_https_certificate_datetimestamp with time zoneDate when the certificate was retrieved by VirusTotal.
last_modification_datetimestamp with time zoneDate when any of domain's information was last updated.
last_update_datetimestamp with time zoneUpdated date extracted from whois.
popularity_ranksjsonbDomain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc.
registrartextCompany that registered the domain.
reputationjsonbDomain's score calculated from the votes of the VirusTotal's community.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbList of representative attributes.
total_votesjsonbUnweighted number of total votes from the community, divided into harmless and malicious.
whoistextWHOIS information as returned from the pertinent whois server.
whois_datetimestamp with time zoneDate of the last update of the whois record in VirusTotal.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- virustotal

You can pass the configuration to the command with the --config argument:

steampipe_export_virustotal --config '<your_config>' virustotal_domain