Skip to main content
Glama
deenesjakoruzh
dstreefkerk

ms-sentinel-mcp-server

by dstreefkerk
OverviewSchemaRelated ServersScoreDiscussions
Python
Remote

sentinel_domain_whois_get

Retrieve WHOIS data for domains to identify ownership details, registration dates, and contact information for security investigations.

Instructions

Get WHOIS information for a domain

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
kwargsYes

Implementation Reference

  • tools/threat_intel_tools.py:204-293 (handler)
    The async run method implements the core logic: extracts 'domain' parameter, sets up Azure SecurityInsights client, calls domain_whois.get via SDK, processes and returns WHOIS data dict or error.
    async def run(self, ctx: Context, **kwargs):
    """
    Get WHOIS information for a domain.

    Args:
        ctx (Context): The MCP tool context.
        **kwargs: Domain as 'domain' parameter.

    Returns:
        dict: Results as described in the class docstring.
    """

    # Extract parameters
    domain = None
    if "domain" in kwargs:
        domain = kwargs["domain"]
    elif "kwargs" in kwargs and isinstance(kwargs["kwargs"], dict):
        domain = kwargs["kwargs"].get("domain")

    if not domain:
        return {"error": "domain parameter is required", "valid": False}

    # Get Azure context
    workspace_name, resource_group, subscription_id = self.get_azure_context(ctx)

    # Get security insights client
    client = None
    try:
        client = self.get_securityinsight_client(subscription_id)
    except Exception as e:
        self.logger.error("Error initializing Azure SecurityInsights client: %s", e)
        return {
            "error": (
                f"Azure SecurityInsights client initialization failed: {str(e)}"
            ),
            "valid": False,
        }

    if client is None:
        return {
            "error": "Azure SecurityInsights client is not initialized",
            "valid": False,
        }

    # Validate Azure context
    valid = self.validate_azure_context(
        client is not None,
        workspace_name,
        resource_group,
        subscription_id,
        self.logger,
    )
    if not valid:
        return {
            "error": "Missing required Azure context or SDK components",
            "valid": False,
        }

    try:
        # Get WHOIS data for the domain
        # Based on SDK testing, domain_whois.get() doesn't accept workspace_name
        whois_data = await run_in_thread(
            client.domain_whois.get,
            resource_group_name=resource_group,
            domain=domain,
        )

        # Process WHOIS data result
        # Return the full WHOIS data object
        whois_dict = {}
        if hasattr(whois_data, "as_dict"):
            whois_dict = whois_data.as_dict()
        else:
            # If as_dict() is not available, try to convert to dict directly
            whois_dict = dict(whois_data) if whois_data else {}

        # Ensure we have at least the domain in the response
        if not whois_dict or not whois_dict.get("domain"):
            whois_dict["domain"] = domain

        return {
            "whois": whois_dict,
            "valid": True,
        }
    except Exception as e:
        self.logger.error("Error retrieving WHOIS data for %s: %s", domain, e)
        return {
            "error": f"Error retrieving WHOIS data for {domain}: {str(e)}",
            "valid": False,
        }
  • tools/threat_intel_tools.py:189-203 (schema)
    Class definition with name='sentinel_domain_whois_get', description, and docstring defining input ('domain' parameter) and output schema ({'whois': dict, 'valid': bool, 'error': str}).
    class SentinelDomainWhoisGetTool(MCPToolBase):
    """
    Tool to get WHOIS information for a domain.

    Returns:
        dict: {
            'whois': dict,     # WHOIS data as returned by the API
            'valid': bool,     # True if successful
            'error': str (optional)
        }
    """

    name = "sentinel_domain_whois_get"
    description = "Get WHOIS information for a domain"
  • tools/threat_intel_tools.py:429-440 (registration)
    The register_tools function registers SentinelDomainWhoisGetTool (line 439) along with other threat intel tools to the FastMCP server.
    def register_tools(mcp: FastMCP):
    """
    Register all Sentinel Threat Intelligence tools with the given MCP instance.

    Args:
        mcp (FastMCP): The MCP instance to register tools with.
    """
    SentinelThreatIntelligenceIndicatorGetTool.register(mcp)
    SentinelThreatIntelligenceIndicatorMetricsCollectTool.register(mcp)
    SentinelIPGeodataGetTool.register(mcp)
    SentinelDomainWhoisGetTool.register(mcp)

Tool Definition Quality

C2.7/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden of behavioral disclosure. It states it 'gets' information, implying a read-only operation, but doesn't specify authentication needs, rate limits, error handling, or what the output looks like. For a tool with zero annotation coverage, this is a significant gap.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, clear sentence with no wasted words. It's front-loaded and efficiently conveys the core purpose without unnecessary elaboration.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the lack of annotations, 0% schema coverage, no output schema, and a single but undocumented parameter, the description is insufficient. It doesn't compensate for the missing structured data, leaving the agent with inadequate information to use the tool effectively.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters1/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has 1 parameter ('kwargs') with 0% description coverage, and the tool description provides no information about parameters. The agent has no guidance on what 'kwargs' should contain (e.g., domain name, format options), making parameter usage unclear.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the action ('Get') and resource ('WHOIS information for a domain'), making the purpose immediately understandable. However, it doesn't distinguish this tool from any potential siblings (e.g., other WHOIS-related tools), though none are listed among the provided siblings, so this is a minor gap.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives. It doesn't mention prerequisites, limitations, or related tools, leaving the agent to infer usage based on the name alone.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/dstreefkerk/ms-sentinel-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server