turbot/virustotal
steampipe plugin install virustotal

Table: virustotal_ip - Query VirusTotal IP Addresses using SQL

VirusTotal is a service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. It aggregates many antivirus products and online scan engines to check for viruses that the user's own antivirus may have missed. VirusTotal also provides information regarding IP addresses, including the detection of URLs, downloadable files, and additional data.

Table Usage Guide

The virustotal_ip table provides insights into IP addresses within VirusTotal. As a cybersecurity analyst, explore IP-specific details through this table, including detections of URLs, downloadable files, and additional information. Utilize it to uncover information about IP addresses, such as those associated with malicious activities, and to verify the safety of certain IPs.

Important Notes

  • You must specify the id (IP address) in the where clause to query this table.

Examples

Get IP information

Discover the details of a specific IP address to understand its associated risks and behavior. This can be particularly useful in cybersecurity investigations or network monitoring.

select
*
from
virustotal_ip
where
id = '76.76.21.21';
select
*
from
virustotal_ip
where
id = '76.76.21.21';

Find all scanner results where result was not clean

Explore scanner results that identified potential threats or issues, providing a valuable tool for cyber security assessments and threat detection.

select
analysis.key as scanner,
analysis.value ->> 'result' as result
from
virustotal.virustotal_ip,
jsonb_each(last_analysis_results) as analysis
where
id = '76.76.21.21'
and analysis.value ->> 'result' != 'clean'
order by
scanner;
select
analysis.key as scanner,
json_extract(analysis.value, '$.result') as result
from
virustotal.virustotal_ip,
json_each(last_analysis_results) as analysis
where
id = '76.76.21.21'
and json_extract(analysis.value, '$.result') != 'clean'
order by
scanner;

Schema for virustotal_ip

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
as_ownertextOwner of the Autonomous System to which the IP belongs.
asnbigintAutonomous System Number to which the IP belongs.
categorytextNormalized result: harmlaess, undetected, suspicious, malicious.
continenttextContinent where the IP is placed (ISO-3166 continent code).
countrytextCountry where the IP is placed (ISO-3166 country code).
engine_nametextComplete name of the URL scanning service.
idinet=The IP to retrieve.
last_analysis_resultsjsonbResult from URL scanners. Dict with scanner name as key and a dict with notes/result from that scanner as value.
last_analysis_statsjsonbNumber of different results from this scans.
last_https_certificatejsonbSSL Certificate object retrieved last time the IP was analysed.
last_https_certificate_datetimestamp with time zoneDate when the certificate was retrieved by VirusTotal.
last_modification_datetimestamp with time zoneDate when any of IP's information was last updated.
methodtextType of service given by that URL scanning service, e.g. blacklist.
networktextIPv4 network range to which the IP belongs.
regional_internet_registrytextOne of the current regional internet registries: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC.
reputationbigintIP's score calculated from the votes of the VirusTotal's community.
resulttextRaw value returned by the URL scanner: e.g. clean, malicious, suspicious, phishing. It may vary from scanner to scanner, hence the need for the category field for normalisation.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbList of representative attributes.
total_votesjsonbUnweighted number of total votes from the community, divided into harmless and malicious.
whoistextWHOIS information as returned from the pertinent whois server.
whois_datetimestamp with time zoneDate of the last update of the whois record in VirusTotal.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- virustotal

You can pass the configuration to the command with the --config argument:

steampipe_export_virustotal --config '<your_config>' virustotal_ip