turbot/virustotal

steampipe plugin install virustotalsteampipe plugin install virustotal

Table: virustotal_ip

Get information about an IP including WHOIS, popularity, DNS and more.

Note: An id (IP address) must be provided in all queries to this table.

Examples

Get IP information

select
*
from
virustotal_ip
where
id = '76.76.21.21'

Find all scanner results where result was not clean

select
analysis.key as scanner,
analysis.value ->> 'result' as result
from
virustotal.virustotal_ip,
jsonb_each(last_analysis_results) as analysis
where
id = '76.76.21.21'
and analysis.value ->> 'result' != 'clean'
order by
scanner

.inspect virustotal_ip

Information and analysis for an IP address.

NameTypeDescription
as_ownertextOwner of the Autonomous System to which the IP belongs.
asnbigintAutonomous System Number to which the IP belongs.
categorytextNormalized result: harmlaess, undetected, suspicious, malicious.
continenttextContinent where the IP is placed (ISO-3166 continent code).
countrytextCountry where the IP is placed (ISO-3166 country code).
engine_nametextComplete name of the URL scanning service.
idinetThe IP to retrieve.
last_analysis_resultsjsonbResult from URL scanners. Dict with scanner name as key and a dict with notes/result from that scanner as value.
last_analysis_statsjsonbNumber of different results from this scans.
last_https_certificatejsonbSSL Certificate object retrieved last time the IP was analysed.
last_https_certificate_datetimestamp without time zoneDate when the certificate was retrieved by VirusTotal.
last_modification_datetimestamp without time zoneDate when any of IP's information was last updated.
methodtextType of service given by that URL scanning service, e.g. blacklist.
networktextIPv4 network range to which the IP belongs.
regional_internet_registrytextOne of the current regional internet registries: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC.
reputationbigintIP's score calculated from the votes of the VirusTotal's community.
resulttextRaw value returned by the URL scanner: e.g. clean, malicious, suspicious, phishing. It may vary from scanner to scanner, hence the need for the category field for normalisation.
tagsjsonbList of representative attributes.
total_votesjsonbUnweighted number of total votes from the community, divided into harmless and malicious.
whoistextWHOIS information as returned from the pertinent whois server.
whois_datetimestamp without time zoneDate of the last update of the whois record in VirusTotal.