A Threat Profile serves as a customized lens through which you can view and analyze Google Threat Intelligence's vast data, by defining specific criteria such as the targeted industries, target regions, source regions, malware roles, and actor motivations. These criteria are then leveraged by our machine learning (ML) module – a sophisticated component that learns patterns from threat data to identify and recommend the most relevant threats and create a personalized Threat Profile tailored to your organization's unique risk profile.

Additionally, other objects can be added to profiles by users that find other relevant threats not automatically recommended by our ML module.

Object Attributes

A threat profile object contains the following attributes:

private: <boolean> whether or not the Threat Profile is private.
enable_recommendations: <boolean> whether or not Recommendations automatically generated by our ML are enabled.
recommendation_config: <dictionary> Threat Profile's configuration for
- max_recs_per_type: <integer> maximum number of recommendations that can be automatically generated by our ML module, per threat type. Values range from 1 to 20, with a default of 10.
- min_categories_matched: <integer> the minimum number of matching Categories that is required for our ML module to generate a Recommendation. Values range from 1 to 5, with a default of 1.
- max_days_since_last_seen: <integer> maximum lookback period (in days) for the last modification date of object to generate a Recommendation. Values range from 1 to 365, with a default of 180 days.
interests: <dictionary> Threat Profile's configured interests such as industries, target regions, source regions, malware roles and actor motivations to recommend the most relevant threats.
- INTEREST_TYPE_TARGETED_INDUSTRY: <list_of_strings> list of targeted industries. Existing options: Aerospace & Defense, Agriculture, Automotive, Chemicals & Materials, Civil Society & Non-Profits, Construction & Engineering, Education, Energy & Utilities, Financial Services, Government, Healthcare, Hospitality, Insurance, Legal & Professional Services, Manufacturing, Media & Entertainment, Multi-sector, Oil & Gas, Other, Pharmaceuticals, Retail, Technology, Telecommunications, Transportation, Unknown.
- INTEREST_TYPE_TARGETED_REGION: <list_of_strings> list of targeted regions (ISO-3166 country code).
- INTEREST_TYPE_SOURCE_REGION: <list_of_strings> list of source regions (ISO-3166 country code).
- INTEREST_TYPE_MALWARE_ROLE: <list_of_strings> list of malware roles. Existing options: Archiver, ATM Malware, Backdoor - Botnet, Backdoor - Webshell, Backdoor, Bootkit, Builder, Controller, Credential Stealer, Cryptocurrency Miner, Data Miner, Decoder, Disruption Tool, Downloader, Dropper - Memory Only, Dropper, Exploit Builder, Exploit, File Infector, Framework, Installer, Keylogger, Lateral Movement Tool, Launcher, Lightweight Backdoor, Module, Point-of-Sale Malware, Privilege Escalation Tool, Ransomware, Reconnaissance Tool, Remote Control and Administration Tool, Remote Exploitation Tool, Rootkit, Screen Capture Tool, Sniffer, Spambot, Tunneler, Uploader, Utility.
- INTEREST_TYPE_ACTOR_MOTIVATION: <list_of_strings> list of threat actors motivations. Existing options: Attack / Destruction, Espionage, Financial Gain, Hacktivism, Influence, Notoriety, Nuisance, Penetration Testing, Surveillance, Opportunistic.
last_modification_date: <integer> Threat Profile's last modification date (UTC timestamp).
name: <string> Threat Profile's name.
creation_date: <integer> Threat Profile's creation date (UTC timestamp).
aliases: <list of strings> alternative names by which the threat actor is known.
description: <string> description / context about the threat actor.
first_seen_date: <integer> estimated threat actor's first seen date of activity (UTC timestamp).
last_seen_date: estimated threat actor's last seen date of activity (UTC timestamp).
last_modification_date: <integer> last time when the threat actor was updated (UTC timestamp).
name: <string> threat actor's name.
recent_activity_relative_change: <float> ratio of change between the last two "recent activity" periods. Note: "recent activity" periods are comprised of 14 days.
recent_activity_summary: <list_of_integers> time series representing the activity of the indicators of compromise related to the threat actor. (2 weeks)
related_entities_count <integer> estimated number of related IOCs to the threat actor.
source_region <string> threat actor's source region.
sponsor_region <string> region sponsoring the threat actor.
targeted_industries <list of strings> list of industries the threat actor has targeted.
targeted_regions <list of strings> list of regions the threat actor has targeted.

{
    "data":
    {
        "id": <string>,
        "type": "threat_profile",
        "links":
        {
            "self": "https://www.virustotal.com/api/v3/threat_profiles/<id>"
        },
        "attributes":
        {
            "private": <boolean>,
            "recommendation_config":
            {
                "max_recs_per_type": <integer>,
                "min_categories_matched": <integer>,
                "max_days_since_last_seen": <integer>
            },
            "enable_recommendations": <boolean>,
            "interests":
            {
                "INTEREST_TYPE_TARGETED_INDUSTRY": [<strings>],
                "INTEREST_TYPE_TARGETED_REGION": [<strings>],
                "INTEREST_TYPE_SOURCE_REGION": [<strings>],
                "INTEREST_TYPE_MALWARE_ROLE": [<strings>],
                "INTEREST_TYPE_ACTOR_MOTIVATION": [<strings>]
            },
            "last_modification_date": <integer>,
            "name": <strings>,
            "creation_date": <integer>
        },
        "context_attributes":
        {
            "shared_with_me": <boolean>,
            "role": <strings>
        }
    }
}

{
    "data":
    {
        "id": "332e02da667746f180a9740e94a3ec98",
        "type": "threat_profile",
        "links":
        {
            "self": "https://www.virustotal.com/api/v3/threat_profiles/332e02da667746f180a9740e94a3ec98"
        },
        "attributes":
        {
            "private": true,
            "recommendation_config":
            {
                "max_recs_per_type": 10,
                "min_categories_matched": 1,
                "max_days_since_last_seen": 180
            },
            "enable_recommendations": true,
            "interests":
            {
                "INTEREST_TYPE_TARGETED_INDUSTRY":
                [
                    "Government"
                ],
                "INTEREST_TYPE_TARGETED_REGION":
                [
                    "ES"
                ]
            },
            "last_modification_date": 1744798513,
            "name": "Spanish complete threat activity",
            "creation_date": 1743755506
        },
        "context_attributes":
        {
            "shared_with_me": false,
            "role": "owner"
        }
    }
}

Relationships

In addition to the previously described attributes, threat profile objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.

The following table shows a summary of available relationships.

Relationship	Description	Allowed Methods	Return object type
viewers	Users that can see the Threat Profile, its configuration and threat objects added to it or automatically recommended by our ML	GET, POST	List of Users
editors	Users that can edit any aspect of the Threat Profile, including deleting it	GET, POST	List of Users