list_threat_actors

Search, browse, and list threat actors by name, UUID, or timestamp. Generate reports, build threat intelligence briefings, and compare multiple actors for comprehensive cybersecurity insights using filtering and sorting capabilities.

Instructions

Get threat actors

Use this tool when you need to search, browse, or list multiple threat actors. This is particularly useful for:

Discovering recently added threat actors in the database
Searching for specific threat actors by name
Creating reports on threat actor landscapes
Building comprehensive threat intelligence briefings
Comparing multiple threat actors

Args: filter (str, optional): A string used to filter threat actors. It can start with specific prefixes: * name:: Filter by Name. * uuid:: Filter by UUID. * If no prefix is provided, it defaults to a name filter. Defaults to "". offset (int, optional): The number of items to skip before starting to collect the result set. Defaults to 0. limit (int, optional): The maximum number of items to return. Minimum value is 1. Defaults to 10 (API default is 100). sort (str, optional): Field to sort by - either 'name', 'created_at', or 'updated_at'. Defaults to 'created_at'. order (str, optional): Sort order - either 'asc' or 'desc'. Defaults to 'desc'.

Returns: Dict[str, Any]: Dictionary containing: - total: Total number of threat actors matching the filter criteria - offset: Current pagination offset - limit: Number of items returned per page - message: Status message (usually null when successful) - data: List of threat actor records, each containing: - uuid: Unique identifier for the threat actor - name: Machine-readable name (typically lowercase with underscores) - display_name: Human-readable name with proper formatting - gen_description: Generated description (if available) - misp_uuid: Reference ID in MISP (Malware Information Sharing Platform) - created_at: Timestamp when this record was first added - updated_at: Timestamp when this record was last modified - enriched_at: Timestamp when this record was last enriched with additional data

Note: This function returns summary information about threat actors. To get detailed information including mentions and intelligence sources for a specific threat actor, use the get_threat_actor() function with the uuid or name.

Input Schema

Name	Required	Default
`filter`	No
`limit`	No
`offset`	No
`order`	No	desc
`sort`	No	created_at

Input Schema (JSON Schema)

{
  "properties": {
    "filter": {
      "default": "",
      "title": "Filter",
      "type": "string"
    },
    "limit": {
      "default": 10,
      "title": "Limit",
      "type": "integer"
    },
    "offset": {
      "default": 0,
      "title": "Offset",
      "type": "integer"
    },
    "order": {
      "default": "desc",
      "title": "Order",
      "type": "string"
    },
    "sort": {
      "default": "created_at",
      "title": "Sort",
      "type": "string"
    }
  },
  "title": "list_threat_actorsArguments",
  "type": "object"
}

Mallory MCP Server