Table: virustotal_ip - Query VirusTotal IP Addresses using SQL
VirusTotal is a service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. It aggregates many antivirus products and online scan engines to check for viruses that the user's own antivirus may have missed. VirusTotal also provides information regarding IP addresses, including the detection of URLs, downloadable files, and additional data.
Table Usage Guide
The virustotal_ip table provides insights into IP addresses within VirusTotal. As a cybersecurity analyst, explore IP-specific details through this table, including detections of URLs, downloadable files, and additional information. Utilize it to uncover information about IP addresses, such as those associated with malicious activities, and to verify the safety of certain IPs.
Important Notes
- You must specify the
id(IP address) in thewhereclause to query this table.
Examples
Get IP information
Discover the details of a specific IP address to understand its associated risks and behavior. This can be particularly useful in cybersecurity investigations or network monitoring.
select *from virustotal_ipwhere id = '76.76.21.21';select *from virustotal_ipwhere id = '76.76.21.21';Find all scanner results where result was not clean
Explore scanner results that identified potential threats or issues, providing a valuable tool for cyber security assessments and threat detection.
select analysis.key as scanner, analysis.value ->> 'result' as resultfrom virustotal.virustotal_ip, jsonb_each(last_analysis_results) as analysiswhere id = '76.76.21.21' and analysis.value ->> 'result' != 'clean'order by scanner;select analysis.key as scanner, json_extract(analysis.value, '$.result') as resultfrom virustotal.virustotal_ip, json_each(last_analysis_results) as analysiswhere id = '76.76.21.21' and json_extract(analysis.value, '$.result') != 'clean'order by scanner;Schema for virustotal_ip
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| as_owner | text | Owner of the Autonomous System to which the IP belongs. | |
| asn | bigint | Autonomous System Number to which the IP belongs. | |
| category | text | Normalized result: harmlaess, undetected, suspicious, malicious. | |
| continent | text | Continent where the IP is placed (ISO-3166 continent code). | |
| country | text | Country where the IP is placed (ISO-3166 country code). | |
| engine_name | text | Complete name of the URL scanning service. | |
| id | inet | = | The IP to retrieve. |
| last_analysis_results | jsonb | Result from URL scanners. Dict with scanner name as key and a dict with notes/result from that scanner as value. | |
| last_analysis_stats | jsonb | Number of different results from this scans. | |
| last_https_certificate | jsonb | SSL Certificate object retrieved last time the IP was analysed. | |
| last_https_certificate_date | timestamp with time zone | Date when the certificate was retrieved by VirusTotal. | |
| last_modification_date | timestamp with time zone | Date when any of IP's information was last updated. | |
| method | text | Type of service given by that URL scanning service, e.g. blacklist. | |
| network | text | IPv4 network range to which the IP belongs. | |
| regional_internet_registry | text | One of the current regional internet registries: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC. | |
| reputation | bigint | IP's score calculated from the votes of the VirusTotal's community. | |
| result | text | Raw value returned by the URL scanner: e.g. clean, malicious, suspicious, phishing. It may vary from scanner to scanner, hence the need for the category field for normalisation. | |
| tags | jsonb | List of representative attributes. | |
| total_votes | jsonb | Unweighted number of total votes from the community, divided into harmless and malicious. | |
| whois | text | WHOIS information as returned from the pertinent whois server. | |
| whois_date | timestamp with time zone | Date of the last update of the whois record in VirusTotal. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- virustotalYou can pass the configuration to the command with the --config argument:
steampipe_export_virustotal --config '<your_config>' virustotal_ip