get_threat_actor
Retrieve detailed intelligence on a specific threat actor or APT group, including TTPs, target sectors, and references from multiple sources, to analyze security incidents and enhance threat intelligence briefings.
Instructions
Get threat actor by identifier
Use this tool when you need detailed intelligence about a specific threat actor or advanced persistent threat (APT) group. This information is valuable for:
Understanding the tactics, techniques, and procedures (TTPs) of threat actors
Researching who might be behind a security incident
Evaluating the sophistication level of potential adversaries
Gathering threat intelligence for security briefings
Understanding which sectors or regions a threat actor typically targets
Args: identifier (str): The identifier of the threat actor - can be either: - UUID (e.g., "a9b46d37-42b8-4b27-8b69-583dbcb2f5e1") - Name (e.g., "dark_cloud_shield")
Returns: Dict[str, Any]: Detailed threat actor information including: - uuid: Unique identifier for this threat actor - name: Machine-readable name (typically lowercase with underscores) - display_name: Human-readable name with proper formatting - created_at/updated_at/enriched_at: Timestamps for record management - gen_description: Generated description (if available) - mentions: List of references to this threat actor from various sources, each containing: - uuid: Unique identifier for this mention - overview: Summary of the threat actor's activities from this source - published_at: When the source material was published - collected_at: When this mention was collected - reference_url: URL of the source material - reference_source: Name of the source (e.g., "talos_intelligence_blog") - reference_user_generated_content: Whether this is user-generated content - Other metadata about the mention and reference
These mentions provide valuable context about the threat actor's:
Known attack vectors and exploited vulnerabilities
Target sectors, regions, or organizations
Tools and malware used
Attribution confidence and alternate names
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| identifier | No |
Implementation Reference
- The handler function for the 'get_threat_actor' tool. Registered using @mcp.tool() decorator. It takes an identifier (UUID or name), fetches detailed threat actor information via malloryai_client, and returns it as a dictionary. The docstring provides input/output schema details.@mcp.tool() @handle_api_errors async def get_threat_actor( identifier: str = None, ) -> Dict[str, Any]: """Get threat actor by identifier Use this tool when you need detailed intelligence about a specific threat actor or advanced persistent threat (APT) group. This information is valuable for: - Understanding the tactics, techniques, and procedures (TTPs) of threat actors - Researching who might be behind a security incident - Evaluating the sophistication level of potential adversaries - Gathering threat intelligence for security briefings - Understanding which sectors or regions a threat actor typically targets Args: identifier (str): The identifier of the threat actor - can be either: - UUID (e.g., "a9b46d37-42b8-4b27-8b69-583dbcb2f5e1") - Name (e.g., "dark_cloud_shield") Returns: Dict[str, Any]: Detailed threat actor information including: - uuid: Unique identifier for this threat actor - name: Machine-readable name (typically lowercase with underscores) - display_name: Human-readable name with proper formatting - created_at/updated_at/enriched_at: Timestamps for record management - gen_description: Generated description (if available) - mentions: List of references to this threat actor from various sources, each containing: - uuid: Unique identifier for this mention - overview: Summary of the threat actor's activities from this source - published_at: When the source material was published - collected_at: When this mention was collected - reference_url: URL of the source material - reference_source: Name of the source (e.g., "talos_intelligence_blog") - reference_user_generated_content: Whether this is user-generated content - Other metadata about the mention and reference These mentions provide valuable context about the threat actor's: - Known attack vectors and exploited vulnerabilities - Target sectors, regions, or organizations - Tools and malware used - Attribution confidence and alternate names """ return await malloryai_client.threat_actors.get_threat_actor(identifier)