API Reference

Update a Threat Profiles

patch https://www.virustotal.com/api/v3/threat_profiles/

🚧

Public Preview

Threat Profile module is provided as a public preview and is subject to change. Use with caution.

Use this endpoint to update a certain Threat Profile object configuration. Changes to your configuration settings may take up to 5 minutes to update automatically IA generate recommendations, while Threat objects added by you will remain the same.

Using this endpoint with interests in the request body will completely replace your current Threat Profile interests configuration. Be sure to include all desired interests in the request body, including those you wish to keep unchanged.

Only owners and users with edition privileges can update a threat profile, although users privileges can be changed by other owners or editors of the Threat Profile.

In the request body, send a threat profile object as follows to update its configuration:

{
    "data":
    {
        "type": "threat_profile",
        "attributes":
        {
            "name": "<_string_> Threat Profile name",
            "interests":
            {
                "INTEREST_TYPE_TARGETED_INDUSTRY": "<_list of strings_> list of targeted industries. Existing options: Aerospace & Defense, Agriculture, Automotive, Chemicals & Materials, Civil Society & Non-Profits, Construction & Engineering, Education, Energy & Utilities, Financial Services, Government, Healthcare, Hospitality, Insurance, Legal & Professional Services, Manufacturing, Media & Entertainment, Multi-sector, Oil & Gas, Other, Pharmaceuticals, Retail, Technology, Telecommunications, Transportation, Unknown.",
                "INTEREST_TYPE_TARGETED_REGION":"<_list of strings_> list of targeted countries by their ISO-3166 code",
                "INTEREST_TYPE_SOURCE_REGION": "<_list of strings_> list of threats origins by their ISO-3166 country code",
                "INTEREST_TYPE_MALWARE_ROLE": "<_list of strings_> list of malware roles of interest. Existing options: Archiver, ATM Malware, Backdoor - Botnet, Backdoor - Webshell, Backdoor, Bootkit, Builder, Controller, Credential Stealer, Cryptocurrency Miner, Data Miner, Decoder, Disruption Tool, Downloader, Dropper - Memory Only, Dropper, Exploit Builder, Exploit, File Infector, Framework, Installer, Keylogger, Lateral Movement Tool, Launcher, Lightweight Backdoor, Module, Point-of-Sale Malware, Privilege Escalation Tool, Ransomware, Reconnaissance Tool, Remote Control and Administration Tool, Remote Exploitation Tool, Rootkit, Screen Capture Tool, Sniffer, Spambot, Tunneler, Uploader, Utility.",
                "INTEREST_TYPE_ACTOR_MOTIVATION": "<_list of strings_> list of actors’ motivations. Existing options: Attack / Destruction, Espionage, Financial Gain, Hacktivism, Influence, Notoriety, Nuisance, Penetration Testing, Surveillance, Opportunistic."
            },
            "recommendation_config":
            {
                "max_recs_per_type": "<_integer_> Maximum number of recommendations that can be automatically generated by our ML module, per threat type.",
                "min_categories_matched": "<_integer_> The minimum number of matching Categories that is required for our ML module to generate a Recommendation."
            }
        }
    }
}

Examples

Rename the Threat Profiles with identifier 332e02da667746f180a9740e94a3ec98 to "WIP - Threat Profile".

import requests

profile_id = "332e02da667746f180a9740e94a3ec98"

url = f"https://www.virustotal.com/api/v3/threat_profiles/{profile_id}"

payload = {
    "data":
    {
        "type": "threat_profile",
        "attributes":
        {
            "name": "WIP - Threat Profile"
        }
    }
}

headers = {"accept": "application/json","x-apikey": <api-key>,"content-type": "application/json"}

response = requests.patch(url, json=payload, headers=headers)

Updates the Threat Profiles with identifier 332e02da667746f180a9740e94a3ec98 to track all motivations and malware activity targeting the Spanish Government, regardless of origin, including its name.

import requests

profile_id = "332e02da667746f180a9740e94a3ec98"

url = f"https://www.virustotal.com/api/v3/threat_profiles/{profile_id}"

payload = {
    "data":
    {
        "type": "threat_profile",
        "attributes":
        {
            "name": "Spanish complete threat activity",
            "interests":
            {
                "INTEREST_TYPE_TARGETED_INDUSTRY":
                [
                   "Government"
                ],
                "INTEREST_TYPE_TARGETED_REGION":
                [
                    "ES"
                ]
            }
        }
    }
}

headers = {"accept": "application/json","x-apikey": <api-key>,"content-type": "application/json"}

response = requests.patch(url, json=payload, headers=headers)

Updates the recommendations configuration of the Threat Profiles with identifier 332e02da667746f180a9740e94a3ec98, to get recommendations when at least 3 categories generate matches and to get a maximum number of recommendations of 20 per threat type.

import requests

profile_id = "332e02da667746f180a9740e94a3ec98"

url = f"https://www.virustotal.com/api/v3/threat_profiles/{profile_id}"

payload = {
    "data":
    {
        "type": "threat_profile",
        "attributes":
        {
            "recommendation_config":
            {
                "max_recs_per_type": 20,
                "min_categories_matched": 3
            }
        }
    }
}

headers = {"accept": "application/json","x-apikey": <api-key>,"content-type": "application/json"}

response = requests.patch(url, json=payload, headers=headers)
Language
Click Try It! to start a request and see the response here!