Table: virustotal_search - Query VirusTotal Search Results using SQL
VirusTotal is a service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. It aggregates information from many antivirus and URL scanners to provide a comprehensive view of antivirus scan results, website scanning, and URL/domain blacklisting. This service is useful for detecting malicious content and understanding the security landscape.
Table Usage Guide
The virustotal_search table provides insights into the search results from VirusTotal. As a security analyst, explore the details of antivirus scan results, website scanning, and URL/domain blacklisting through this table. Utilize it to uncover information about potential security threats, such as malware, trojans, and other malicious content.
Important Notes
- You must specify the
queryin thewhereclause to query this table.
Examples
Simple searches (free tier)
Explore various internet entities like websites, IP addresses, and file hashes for potential security threats by cross-referencing them with the VirusTotal database. This is useful for identifying potential risks associated with these entities, helping to maintain cybersecurity. The free tier only supports simple search terms for hashes and IDs.
This example combines simple searches of different types into a single consistent result set.
select *from virustotal_searchwhere query = 'github.com'unionselect *from virustotal_searchwhere query = 'https://turbot.com'unionselect *from virustotal_searchwhere query = '76.76.21.21'unionselect *from virustotal_searchwhere query = '8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85';select *from virustotal_searchwhere query = 'github.com'unionselect *from virustotal_searchwhere query = 'https://turbot.com'unionselect *from virustotal_searchwhere query = '76.76.21.21'unionselect *from virustotal_searchwhere query = '8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85';Schema for virustotal_search
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| attributes | jsonb | ||
| id | text | ||
| last_analysis_results | jsonb | Result from URL scanners. Dict with scanner name as key and a dict with notes/result from that scanner as value. | |
| last_analysis_stats | jsonb | Number of different results from this scans. | |
| last_modification_date | timestamp with time zone | Date when any of IP's information was last updated. | |
| object_type | text | ||
| query | text | = | The search query. |
| reputation | bigint | IP's score calculated from the votes of the VirusTotal's community. | |
| tags | jsonb | List of representative attributes. | |
| total_votes | jsonb | Unweighted number of total votes from the community, divided into harmless and malicious. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- virustotalYou can pass the configuration to the command with the --config argument:
steampipe_export_virustotal --config '<your_config>' virustotal_search