🚧
Public Preview
Threat Profile module is provided as a public preview and is subject to change. Use with caution.

Use this endpoint to update a certain Threat Profile object configuration. Changes to your configuration settings may take up to 5 minutes to update automatically IA generate recommendations, while Threat objects added by you will remain the same.

Using this endpoint with interests in the request body will completely replace your current Threat Profile interests configuration. Be sure to include all desired interests in the request body, including those you wish to keep unchanged.

Only owners and users with edition privileges can update a threat profile, although users privileges can be changed by other owners or editors of the Threat Profile.

In the request body, send a threat profile object as follows to update its configuration:

{
    "data":
    {
        "type": "threat_profile",
        "attributes":
        {
            "name": "<_string_> Threat Profile name",
            "interests":
            {
                "INTEREST_TYPE_TARGETED_INDUSTRY": "<_list of strings_> list of targeted industries. Existing options: Aerospace & Defense, Agriculture, Automotive, Chemicals & Materials, Civil Society & Non-Profits, Construction & Engineering, Education, Energy & Utilities, Financial Services, Government, Healthcare, Hospitality, Insurance, Legal & Professional Services, Manufacturing, Media & Entertainment, Multi-sector, Oil & Gas, Other, Pharmaceuticals, Retail, Technology, Telecommunications, Transportation, Unknown.",
                "INTEREST_TYPE_TARGETED_REGION":"<_list of strings_> list of targeted countries by their ISO-3166 code",
                "INTEREST_TYPE_SOURCE_REGION": "<_list of strings_> list of threats origins by their ISO-3166 country code",
                "INTEREST_TYPE_MALWARE_ROLE": "<_list of strings_> list of malware roles of interest. Existing options: Archiver, ATM Malware, Backdoor - Botnet, Backdoor - Webshell, Backdoor, Bootkit, Builder, Controller, Credential Stealer, Cryptocurrency Miner, Data Miner, Decoder, Disruption Tool, Downloader, Dropper - Memory Only, Dropper, Exploit Builder, Exploit, File Infector, Framework, Installer, Keylogger, Lateral Movement Tool, Launcher, Lightweight Backdoor, Module, Point-of-Sale Malware, Privilege Escalation Tool, Ransomware, Reconnaissance Tool, Remote Control and Administration Tool, Remote Exploitation Tool, Rootkit, Screen Capture Tool, Sniffer, Spambot, Tunneler, Uploader, Utility.",
                "INTEREST_TYPE_ACTOR_MOTIVATION": "<_list of strings_> list of actors’ motivations. Existing options: Attack / Destruction, Espionage, Financial Gain, Hacktivism, Influence, Notoriety, Nuisance, Penetration Testing, Surveillance, Opportunistic."
            },
            "recommendation_config":
            {
                "max_recs_per_type": "<_integer_> Maximum number of recommendations that can be automatically generated by our ML module, per threat type. Values range from 1 to 20, with a default of 10.",
                "min_categories_matched": "<_integer_> The minimum number of matching Categories that is required for our ML module to generate a Recommendation. Values range from 1 to 5, with a default of 1.",
                "max_days_since_last_seen": "<_integer_> The maximum lookback period (in days) for the last modification date of object to generate a Recommendation. Values range from 1 to 365, with a default of 180 days."
            }
        }
    }
}

Examples

Rename the Threat Profiles with identifier 332e02da667746f180a9740e94a3ec98 to "WIP - Threat Profile".

import requests

profile_id = "332e02da667746f180a9740e94a3ec98"

url = f"https://www.virustotal.com/api/v3/threat_profiles/{profile_id}"

payload = {
    "data":
    {
        "type": "threat_profile",
        "attributes":
        {
            "name": "WIP - Threat Profile"
        }
    }
}

headers = {"accept": "application/json","x-apikey": <api-key>,"content-type": "application/json"}

response = requests.patch(url, json=payload, headers=headers)

Updates the Threat Profiles with identifier 332e02da667746f180a9740e94a3ec98 to track all motivations and malware activity targeting the Spanish Government, regardless of origin, including its name.

import requests

profile_id = "332e02da667746f180a9740e94a3ec98"

url = f"https://www.virustotal.com/api/v3/threat_profiles/{profile_id}"

payload = {
    "data":
    {
        "type": "threat_profile",
        "attributes":
        {
            "name": "Spanish complete threat activity",
            "interests":
            {
                "INTEREST_TYPE_TARGETED_INDUSTRY":
                [
                   "Government"
                ],
                "INTEREST_TYPE_TARGETED_REGION":
                [
                    "ES"
                ]
            }
        }
    }
}

headers = {"accept": "application/json","x-apikey": <api-key>,"content-type": "application/json"}

response = requests.patch(url, json=payload, headers=headers)

Updates threat profile configuration 332e02da667746f180a9740e94a3ec98 to generate recommendations when at least 3 categories match, with a maximum of 20 recommendations per threat type, considering objects modified within the last 30 days.

import requests

profile_id = "332e02da667746f180a9740e94a3ec98"

url = f"https://www.virustotal.com/api/v3/threat_profiles/{profile_id}"

payload = {
    "data":
    {
        "type": "threat_profile",
        "attributes":
        {
            "recommendation_config":
            {
                "max_recs_per_type": 20,
                "min_categories_matched": 3,
                "max_days_since_last_seen": 30
            }
        }
    }
}

headers = {"accept": "application/json","x-apikey": <api-key>,"content-type": "application/json"}

response = requests.patch(url, json=payload, headers=headers)

200200

400400