sentinel_domain_whois_get
Retrieve WHOIS data for domains to identify ownership details, registration dates, and contact information for security investigations.
Instructions
Get WHOIS information for a domain
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| kwargs | Yes |
Implementation Reference
- tools/threat_intel_tools.py:204-293 (handler)The async run method implements the core logic: extracts 'domain' parameter, sets up Azure SecurityInsights client, calls domain_whois.get via SDK, processes and returns WHOIS data dict or error.
async def run(self, ctx: Context, **kwargs): """ Get WHOIS information for a domain. Args: ctx (Context): The MCP tool context. **kwargs: Domain as 'domain' parameter. Returns: dict: Results as described in the class docstring. """ # Extract parameters domain = None if "domain" in kwargs: domain = kwargs["domain"] elif "kwargs" in kwargs and isinstance(kwargs["kwargs"], dict): domain = kwargs["kwargs"].get("domain") if not domain: return {"error": "domain parameter is required", "valid": False} # Get Azure context workspace_name, resource_group, subscription_id = self.get_azure_context(ctx) # Get security insights client client = None try: client = self.get_securityinsight_client(subscription_id) except Exception as e: self.logger.error("Error initializing Azure SecurityInsights client: %s", e) return { "error": ( f"Azure SecurityInsights client initialization failed: {str(e)}" ), "valid": False, } if client is None: return { "error": "Azure SecurityInsights client is not initialized", "valid": False, } # Validate Azure context valid = self.validate_azure_context( client is not None, workspace_name, resource_group, subscription_id, self.logger, ) if not valid: return { "error": "Missing required Azure context or SDK components", "valid": False, } try: # Get WHOIS data for the domain # Based on SDK testing, domain_whois.get() doesn't accept workspace_name whois_data = await run_in_thread( client.domain_whois.get, resource_group_name=resource_group, domain=domain, ) # Process WHOIS data result # Return the full WHOIS data object whois_dict = {} if hasattr(whois_data, "as_dict"): whois_dict = whois_data.as_dict() else: # If as_dict() is not available, try to convert to dict directly whois_dict = dict(whois_data) if whois_data else {} # Ensure we have at least the domain in the response if not whois_dict or not whois_dict.get("domain"): whois_dict["domain"] = domain return { "whois": whois_dict, "valid": True, } except Exception as e: self.logger.error("Error retrieving WHOIS data for %s: %s", domain, e) return { "error": f"Error retrieving WHOIS data for {domain}: {str(e)}", "valid": False, } - tools/threat_intel_tools.py:189-203 (schema)Class definition with name='sentinel_domain_whois_get', description, and docstring defining input ('domain' parameter) and output schema ({'whois': dict, 'valid': bool, 'error': str}).
class SentinelDomainWhoisGetTool(MCPToolBase): """ Tool to get WHOIS information for a domain. Returns: dict: { 'whois': dict, # WHOIS data as returned by the API 'valid': bool, # True if successful 'error': str (optional) } """ name = "sentinel_domain_whois_get" description = "Get WHOIS information for a domain" - tools/threat_intel_tools.py:429-440 (registration)The register_tools function registers SentinelDomainWhoisGetTool (line 439) along with other threat intel tools to the FastMCP server.
def register_tools(mcp: FastMCP): """ Register all Sentinel Threat Intelligence tools with the given MCP instance. Args: mcp (FastMCP): The MCP instance to register tools with. """ SentinelThreatIntelligenceIndicatorGetTool.register(mcp) SentinelThreatIntelligenceIndicatorMetricsCollectTool.register(mcp) SentinelIPGeodataGetTool.register(mcp) SentinelDomainWhoisGetTool.register(mcp)