Table: virustotal_url - Query VirusTotal URL Reports using SQL
VirusTotal is a service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. It uses an array of antivirus engines and website scanners, as well as a comprehensive dataset that is updated in real time. VirusTotal's URL reports provide detailed information about the URLs analyzed, including the scan results, detection ratios, and the time of the last analysis.
Table Usage Guide
The virustotal_url table provides insights into URL reports within VirusTotal. As a cybersecurity analyst, explore URL-specific details through this table, including scan dates, detection ratios, and scan results. Utilize it to uncover information about URLs, such as their safety status, the details of the scans performed on them, and the detection ratios associated with each URL.
Important Notes
- You must specify either the
url(URL address) or theid(hash of the URL) in thewhereclause to query this table.
Examples
Get URL information
Discover the segments that are associated with a specific website by analyzing its URL. This can be beneficial for identifying potential security risks or understanding the website's online footprint.
select *from virustotal_urlwhere url = 'https://github.com';select *from virustotal_urlwhere url = 'https://github.com';Get URL information by ID
Discover the specifics of a particular URL by using its unique ID. This can be particularly useful when investigating potentially harmful or suspicious URLs for cybersecurity purposes.
select *from virustotal_urlwhere id = '09a8b930c8b79e7c313e5e741e1d59c39ae91bc1f10cdefa68b47bf77519be57';select *from virustotal_urlwhere id = '09a8b930c8b79e7c313e5e741e1d59c39ae91bc1f10cdefa68b47bf77519be57';Find all scanner results where result was not clean
Identify instances where the scan results were not clean for a specific URL. This could be used to assess the security and safety of the website, highlighting any potential threats or issues.
select analysis.key as scanner, analysis.value ->> 'result' as resultfrom virustotal.virustotal_url, jsonb_each(last_analysis_results) as analysiswhere url = 'https://github.com' and analysis.value ->> 'result' != 'clean'order by scanner;select analysis.key as scanner, json_extract(analysis.value, '$.result') as resultfrom virustotal.virustotal_url, json_each(last_analysis_results) as analysiswhere url = 'https://github.com' and json_extract(analysis.value, '$.result') != 'clean'order by scanner;Schema for virustotal_url
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| categories | jsonb | Mapping that relates categorisation services with the category it assigns the url to. These services are, among others: Alexa, BitDefender, TrendMicro, Websense ThreatSeeker, etc. | |
| category | text | Normalized result: harmlaess, undetected, suspicious, malicious. | |
| engine_name | text | Complete name of the URL scanning service. | |
| favicon | jsonb | Dictionary including difference hash and md5 hash of the url's favicon. Only available for premium users. | |
| first_submission_date | timestamp with time zone | UTC timestamp of the date where the URL was first submitted to VirusTotal. | |
| html_meta | jsonb | All meta tags (only for URLs downloading a HTML). Keys are the meta tag name and value is a list containing all values of that meta tag. | |
| id | text | = | ID of the URL. |
| last_analysis_date | timestamp with time zone | UTC timestamp representing last time the URL was scanned. | |
| last_analysis_results | jsonb | Result from URL scanners. dict with scanner name as key and a dict with notes/result from that scanner as value. | |
| last_analysis_stats | jsonb | Number of different results from this scans. | |
| last_final_url | text | If the original URL redirects, where does it end. | |
| last_http_response_code | bigint | HTTP response code of the last response. | |
| last_http_response_content_length | bigint | Length in bytes of the content received. | |
| last_http_response_content_sha256 | text | URL response body's SHA256 hash. | |
| last_http_response_cookies | jsonb | The website's cookies. | |
| last_http_response_headers | jsonb | Headers and values of last HTTP response. | |
| last_modification_date | timestamp with time zone | Date when any of IP's information was last updated. | |
| last_submission_date | timestamp with time zone | UTC timestamp representing last time it was sent to be analysed. | |
| method | text | Type of service given by that URL scanning service, e.g. blacklist. | |
| outgoing_links | jsonb | Links to different domains. | |
| reputation | bigint | URL's score calculated from the votes of the VirusTotal's community. | |
| result | text | Raw value returned by the URL scanner: e.g. clean, malicious, suspicious, phishing. It may vary from scanner to scanner, hence the need for the category field for normalisation. | |
| tags | jsonb | List of representative attributes. | |
| targeted_brand | jsonb | Targeted brand info extracted from phishing engines. | |
| times_submitted | bigint | Number of times that URL has been checked. | |
| title | text | Web page title. | |
| total_votes | jsonb | Unweighted number of total votes from the community, divided into harmless and malicious. | |
| trackers | jsonb | contains all found trackers in that URL in a historical manner. Every key is a tracker name, which is a dictionary containing. | |
| url | text | = | The URL to retrieve. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- virustotalYou can pass the configuration to the command with the --config argument:
steampipe_export_virustotal --config '<your_config>' virustotal_url