Skip to main content
Glama
Sentinel-One

Purple AI MCP Server

Official
by Sentinel-One

threat_intel_get_file_behavior

Retrieve detailed sandbox behavioral analysis for a file hash to understand malware capabilities, including process activity, network connections, and MITRE ATT&CK techniques. Essential for threat detection and incident response.

Instructions

Get detailed behavioral analysis report for a file from VirusTotal sandboxes.

This tool retrieves sandbox execution reports that show what a file does when run, including process activity, network connections, file operations, registry changes, and MITRE ATT&CK techniques. Essential for understanding malware capabilities and identifying detection opportunities.

What this tool provides:

  • Process tree and execution flow

  • Network connections (IPs, domains, URLs contacted)

  • File system operations (files created, modified, deleted)

  • Registry modifications

  • MITRE ATT&CK TTPs (Tactics, Techniques, Procedures)

  • API calls and system interactions

  • Behavioral signatures matched

  • Mutex/synchronization objects

  • Memory operations

Common Use Cases:

  • Malware analysis: Understand what a file does when executed

  • Detection engineering: Identify behavioral indicators for rules

  • Incident response: Determine malware capabilities and impact

  • Threat intelligence: Extract TTPs for threat profiling

  • IOC extraction: Get network and file system indicators

  • Attribution: Identify techniques used by specific threat actors

Args: hash_value: The file hash (SHA256 preferred) to query. sandbox: Optional specific sandbox name (e.g., 'VirusTotal Jujubox', 'C2AE'). If not specified, returns the default/first available report.

Returns: JSON string containing detailed behavioral analysis (up to 50 reports) including: - Processes created and their relationships - Network activity (DNS, HTTP, TCP/IP) - File system operations - Registry operations - MITRE ATT&CK techniques - Behavioral signatures - Sandbox metadata (environment, time)

Examples: hash_value="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" hash_value="44d88612fea8a8f36de82e1278abb02f", sandbox="VirusTotal Jujubox"

Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Only SHA256 hashes are supported for behavior reports - Returns up to 50 behavior reports - Not all files have behavioral analysis (requires sandbox execution) - Multiple sandbox environments may have analyzed the same file - Reports reflect behavior in a controlled sandbox environment - Private API keys have access to more detailed reports - When no behavior report is found, returns a structured JSON response with found=false - IMPORTANT: Do NOT call this tool repeatedly with the same parameters. It returns the same data each time, not additional results.

Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
sandboxNo
hash_valueYes

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description fully discloses behavioral traits: requires API key, supports only SHA256, returns up to 50 reports, behavior in controlled sandbox, private key access, and structured response on missing data. No contradictions.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured with sections and bullet points, front-loaded with a summary. While somewhat verbose, every section adds value and no information is redundant. Slightly long but appropriate for the complexity.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool has an output schema (though not shown), the description still covers return format with field lists. It includes all necessary sections: purpose, parameters, returns, examples, notes, and use cases. Complete for a complex threat intelligence tool.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, so the description must compensate. It thoroughly explains both parameters: hash_value (SHA256 preferred) and sandbox (optional sandbox name), with examples and formatting details, adding substantial meaning beyond the bare schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool retrieves behavioral analysis reports from VirusTotal sandboxes, specifying the action (get), resource (file behavior), and context. It distinguishes from sibling tools like threat_intel_by_hash and threat_intel_get_file_relationships by focusing on sandbox execution details.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly lists common use cases (malware analysis, detection engineering, etc.) and provides critical usage notes, including when not to use (e.g., not all files have analysis) and an important warning against repeated calls with the same parameters.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sentinel-One/purple-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server