API Reference

Get a Threat's observed actions list

🚧

Special privileges required

Threat Actors and Campaigns are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

🚧

Use with caution

Please note that this endpoint will eventually be deprecated. We are actively developing a unified observation concept that will integrate event data from this endpoint with other sources.

Returns the list of observed actions related or associated with a Campaign as follows:

{
    "data": /* <_list of dictionaries_> list of timeline associations. */
    [
        {
            "name": "<_string_> observed action's name",
            "description": "<_string_> observed action's description",
            "event_type": "<_string_> observed action's type. Available values: `first_observed`, `created`, `key_event`, `technique_observed`",
            "event_at": "<_integer_> Unix epoch UTC time (seconds) of the observed action",
            "event_category": "<_string_> observed action's category. Available values: `First Observed`, `Event`, `X509`, `Host Command`, `Campaign Created`, `Malicious Executable`, `Phishing Email`, `Technique Observed`",
            "detail": "<_string_> observed commands. This field is available for actions in the `Event` and `Host Command` categories",
            "related_collections": /* List of Threat objects associated with the observed activity. This field is available for all actions except those of type `first_observed` and `created` */
            [
                {
                    "name": "<_string_> name of the associated Threat object",
                    "id": "<_string_> identifier of the associated Threat object",
                    "type": "<_string_> type of the associated Threat object. Available options: `malware-family`, `threat-actor`, `software-toolkit`"
                }
            ],
            "mandiant_techniques": /* List of Mandiant observed techniques. This field is available for actions in the `Event`, `Host Command` and `Technique Observed` categories */
            [
                {
                    "name": "<_string_> Mandiant technique name",
                    "id": "<_string_> identifier of the mandiant technique or observed attack pattern",
                    "techniques": /* List of associated Mitre techniques */
                    [
                        {
                            "name": "<_string_> Mitre technique name",
                            "tactics": "<_list of strings_> Mitre tactics associated with the technique",
                            "id": "<_string_> Mitre technique identifier"
                        }
                    ]
                }
            ],
            "indicators": /* List of Indicators of Complomise (files) associated with the observed activity. This field is available for actions in the `X509` and `Malicious Executable` categories */
            [
                {
                    "id": "<_string_> indicator's identifier",
                    "type": "file"
                }
            ],
            "emails": /* List of emails' subjects and senders associated with the observed activity. This field is available for actions in the `Phishing Email` category only */
            [
                {
                    "subject": "<_string_> email's subject",
                    "email_from": "<_string_> email's sender"
                }
            ]
        }
    ]
}

Example response

{
    "data":
    [
        {
            "event_at": 1714003200,
            "name": "First Observed",
            "event_category": "First Observed",
            "description": "Mandiant Observed First Activity of Campaign",
            "event_type": "first_observed"
        },
        {
            "indicators":
            [
                {
                    "type": "file",
                    "id": "760ccce32e823eed2e97ab344b4e3205"
                }
            ],
            "event_at": 1714003200,
            "name": "Malicious Executable",
            "event_category": "Malicious Executable",
            "description": "Malicious Executable Compiled",
            "event_type": "key_event"
        },
        {
            "event_at": 1718150400,
            "name": "MSIX Payload Downloaded into the System After Accessing a Compromised Site",
            "event_category": "Event",
            "description": "The victim visited a compromised website and clicked on the Update Chrome button which triggered FAKETREFF to download and save the MSIX payload into the system.",
            "related_collections":
            [
                {
                    "type": "threat-actor",
                    "id": "threat-actor--1c9f1fc0-b34a-53d4-9cc4-c0669f8068cb",
                    "name": "UNC5518"
                }
            ],
            "mandiant_techniques":
            [
                {
                    "id": "attack-pattern--f8b711f6-9200-5d94-babf-f7ce179e4fe2",
                    "techniques":
                    [
                        {
                            "id": "T1189",
                            "tactics":
                            [
                                "Initial Access"
                            ],
                            "name": "Drive-by Compromise"
                        }
                    ],
                    "name": "Compromise through masquerading web resources"
                }
            ],
            "event_type": "key_event",
        }
    ]
}

Examples

Get the list of observed actions associated with the Campaign with campaign--183a3a9d-fbe6-54b1-9ec7-a807687ba94c identifier.

import requests

object_id = "campaign--183a3a9d-fbe6-54b1-9ec7-a807687ba94c"

url = f"https://www.virustotal.com/api/v3/collections/{object_id}/timeline/events"
headers = {
    "accept": "application/json","x-apikey": <api-key>
}
response = requests.get(url, headers=headers)