🚧
Public Preview
Threat Profile module is provided as a public preview and is subject to change. Use with caution.

Use this endpoint to create a new Threat Profile. All threat profiles are visible to all the members of your group, but only owners and editors can edit them.

You can share the Threat Profiles with other users and groups and give them viewer or editor privileges.

In the request body, send a threat profile object containing its name and interests as follows:

{
    "data":
    {
        "type": "threat_profile",
        "attributes":
        {
            "name": "<_string_> Threat Profile name",
            "interests":
            {
                "INTEREST_TYPE_TARGETED_INDUSTRY": "<_list of strings_> list of targeted industries. Existing options: Aerospace & Defense, Agriculture, Automotive, Chemicals & Materials, Civil Society & Non-Profits, Construction & Engineering, Education, Energy & Utilities, Financial Services, Government, Healthcare, Hospitality, Insurance, Legal & Professional Services, Manufacturing, Media & Entertainment, Multi-sector, Oil & Gas, Other, Pharmaceuticals, Retail, Technology, Telecommunications, Transportation, Unknown.",
                "INTEREST_TYPE_TARGETED_REGION":"<_list of strings_> list of targeted countries by their ISO-3166 code",
                "INTEREST_TYPE_SOURCE_REGION": "<_list of strings_> list of threats origins by their ISO-3166 country code",
                "INTEREST_TYPE_MALWARE_ROLE": "<_list of strings_> list of malware roles of interest. Existing options: Archiver, ATM Malware, Backdoor - Botnet, Backdoor - Webshell, Backdoor, Bootkit, Builder, Controller, Credential Stealer, Cryptocurrency Miner, Data Miner, Decoder, Disruption Tool, Downloader, Dropper - Memory Only, Dropper, Exploit Builder, Exploit, File Infector, Framework, Installer, Keylogger, Lateral Movement Tool, Launcher, Lightweight Backdoor, Module, Point-of-Sale Malware, Privilege Escalation Tool, Ransomware, Reconnaissance Tool, Remote Control and Administration Tool, Remote Exploitation Tool, Rootkit, Screen Capture Tool, Sniffer, Spambot, Tunneler, Uploader, Utility.",
                "INTEREST_TYPE_ACTOR_MOTIVATION": "<_list of strings_> list of actors’ motivations. Existing options: Attack / Destruction, Espionage, Financial Gain, Hacktivism, Influence, Notoriety, Nuisance, Penetration Testing, Surveillance, Opportunistic."
            }
        }
    }
}

Examples

Create a new private Threat Profile to track threat activity generated from Spain with Attack / Destruction and Financial Gain motivations, targeting the Spanish Energy & Utilities and Government institutions via Ransomware campaigns or vulnerability Exploitation.

import requests

url = "https://www.virustotal.com/api/v3/threat_profiles"

payload = {
    "data":
    {
        "type": "threat_profile",
        "attributes":
        {
            "name": "Spanish threat activity",
            "interests":
            {
                "INTEREST_TYPE_TARGETED_INDUSTRY":
                [
                    "Energy & Utilities", "Government"
                ],
                "INTEREST_TYPE_TARGETED_REGION":
                [
                    "ES"
                ],
                "INTEREST_TYPE_SOURCE_REGION":
                [
                    "ES"
                ],
                "INTEREST_TYPE_MALWARE_ROLE":
                [
                    "Exploit", "Ransomware"
                ],
                "INTEREST_TYPE_ACTOR_MOTIVATION":
                [
                    "Attack / Destruction", "Financial Gain"
                ]
            }
        }
    }
}
headers = {
    "accept": "application/json","x-apikey": <api-key>,"content-type": "application/json"
}
response = requests.post(url, json=payload, headers=headers)

200200

400400