turbot/virustotal
steampipe plugin install virustotal

Table: virustotal_search - Query VirusTotal Search Results using SQL

VirusTotal is a service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. It aggregates information from many antivirus and URL scanners to provide a comprehensive view of antivirus scan results, website scanning, and URL/domain blacklisting. This service is useful for detecting malicious content and understanding the security landscape.

Table Usage Guide

The virustotal_search table provides insights into the search results from VirusTotal. As a security analyst, explore the details of antivirus scan results, website scanning, and URL/domain blacklisting through this table. Utilize it to uncover information about potential security threats, such as malware, trojans, and other malicious content.

Important Notes

  • You must specify the query in the where clause to query this table.

Examples

Simple searches (free tier)

Explore various internet entities like websites, IP addresses, and file hashes for potential security threats by cross-referencing them with the VirusTotal database. This is useful for identifying potential risks associated with these entities, helping to maintain cybersecurity. The free tier only supports simple search terms for hashes and IDs.

This example combines simple searches of different types into a single consistent result set.

select
*
from
virustotal_search
where
query = 'github.com'
union
select
*
from
virustotal_search
where
query = 'https://turbot.com'
union
select
*
from
virustotal_search
where
query = '76.76.21.21'
union
select
*
from
virustotal_search
where
query = '8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85';
select
*
from
virustotal_search
where
query = 'github.com'
union
select
*
from
virustotal_search
where
query = 'https://turbot.com'
union
select
*
from
virustotal_search
where
query = '76.76.21.21'
union
select
*
from
virustotal_search
where
query = '8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85';

Schema for virustotal_search

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
attributesjsonb
idtext
last_analysis_resultsjsonbResult from URL scanners. Dict with scanner name as key and a dict with notes/result from that scanner as value.
last_analysis_statsjsonbNumber of different results from this scans.
last_modification_datetimestamp with time zoneDate when any of IP's information was last updated.
object_typetext
querytext=The search query.
reputationbigintIP's score calculated from the votes of the VirusTotal's community.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbList of representative attributes.
total_votesjsonbUnweighted number of total votes from the community, divided into harmless and malicious.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- virustotal

You can pass the configuration to the command with the --config argument:

steampipe_export_virustotal --config '<your_config>' virustotal_search