Skip to main content
Glama
googleSandy

Google Threat Intelligence MCP Server

by googleSandy
OverviewSchemaRelated ServersScoreDiscussions
Python
Hybrid

get_entities_related_to_a_collection

Retrieve threat intelligence entities like domains, IPs, malware, or attack techniques associated with a specific collection ID in Google's Threat Intelligence platform.

Instructions

Retrieve entities related to the the given collection ID.

The following table shows a summary of available relationships for collection objects.

Relationship

Description

Return type

associations

List of associated threats

collection

attack_techniques

List of attack techniques

attack_technique

domains

List of Domains

domain

files

List of Files

file

ip_addresses

List of IP addresses

ip_address

urls

List of URLs

url

threat_actors

List of related threat actors

collection

malware_families

List of related malware families

collection

software_toolkits

List of related tools

collection

campaigns

List of related campaigns

collection

vulnerabilities

List of related vulnerabilities

collection

reports

List of reports

collection

suspected_threat_actors

List of related suspected threat actors

collection

hunting_rulesets

Google Threat Intelligence Yara rules that identify the given collection

hunting_ruleset

Note on descriptors_only: When True, returns basic descriptors. When False, returns detailed attributes. IMPORTANT: descriptors_only must be False for the 'attack_techniques' relationship.

Args: id (required): Collection identifier. relationship_name (required): Relationship name. limit (optional): Limit the number of collections to retrieve. 10 by default. descriptors_only (optional)): Bool. Default True. Must be False when the target object type is 'attack_techniques'. Returns: List of objects related to the collection.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
idYes
relationship_nameYes
limitNo
descriptors_onlyNo
api_keyNo

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes

Implementation Reference

  • gti_mcp/tools/collections.py:86-138 (handler)
    Main handler function for get_entities_related_to_a_collection tool. Includes @server.tool() registration decorators, function signature with parameters (id, relationship_name, ctx, limit, descriptors_only, api_key), comprehensive docstring documenting available relationships and their types, input validation checking if relationship_name is in COLLECTION_RELATIONSHIPS, and the core logic that calls utils.fetch_object_relationships and returns sanitized results.
    @server.tool()
@server.tool()
async def get_entities_related_to_a_collection(
    id: str, relationship_name: str, ctx: Context, limit: int = 10, descriptors_only: bool = True, api_key: str = None
) -> typing.List[typing.Dict[str, typing.Any]]:
  """Retrieve entities related to the the given collection ID.

    The following table shows a summary of available relationships for collection objects.

    | Relationship         | Description                                       | Return type  |
    | -------------------- | ------------------------------------------------- | ------------ |
    | associations         | List of associated threats                        | collection   |
    | attack_techniques    | List of attack techniques                         | attack_technique |
    | domains              | List of Domains                                   | domain       |
    | files                | List of Files                                     | file         |
    | ip_addresses         | List of IP addresses                              | ip_address   |
    | urls                 | List of URLs                                      | url          |
    | threat_actors        | List of related threat actors                     | collection   |
    | malware_families     | List of related malware families                  | collection   |
    | software_toolkits    | List of related tools                             | collection   |
    | campaigns            | List of related campaigns                         | collection   |
    | vulnerabilities      | List of related vulnerabilities                   | collection   |
    | reports              | List of reports                                   | collection   |
    | suspected_threat_actors | List of related suspected threat actors        | collection   |
    | hunting_rulesets     | Google Threat Intelligence Yara rules that identify the given collection | hunting_ruleset |

    Note on descriptors_only: When True, returns basic descriptors. When False, returns
    detailed attributes.
    IMPORTANT: `descriptors_only` must be `False` for the 'attack_techniques' relationship.
    
    Args:
      id (required): Collection identifier.
      relationship_name (required): Relationship name.
      limit (optional): Limit the number of collections to retrieve. 10 by default.
      descriptors_only (optional)): Bool. Default True. Must be False when the target object type is 'attack_techniques'.
    Returns:
      List of objects related to the collection.
  """
  if not relationship_name in COLLECTION_RELATIONSHIPS:
      return {
          "error": f"Relationship {relationship_name} does not exist. "
          f"Available relationships are: {','.join(COLLECTION_RELATIONSHIPS)}"
      }
  async with vt_client(ctx, api_key=api_key) as client:
    res = await utils.fetch_object_relationships(
        client, 
        "collections", 
        id, 
        [relationship_name],
        descriptors_only=descriptors_only,
        limit=limit)
  return utils.sanitize_response(res.get(relationship_name, []))
  • gti_mcp/tools/collections.py:24-39 (schema)
    Schema constant defining valid relationship names for collection objects. This list is used for input validation in get_entities_related_to_a_collection. Includes relationships like associations, attack_techniques, domains, files, ip_addresses, urls, threat_actors, malware_families, software_toolkits, campaigns, vulnerabilities, reports, suspected_threat_actors, and hunting_rulesets.
    COLLECTION_RELATIONSHIPS = [
    "associations",
    "attack_techniques",
    "domains",
    "files",
    "ip_addresses",
    "urls",
    "threat_actors",
    "malware_families",
    "software_toolkits",
    "campaigns",
    "vulnerabilities",
    "reports",
    "suspected_threat_actors",
    "hunting_rulesets",
]
  • gti_mcp/tools/collections.py:86-87 (registration)
    Registration decorators that register get_entities_related_to_a_collection as an MCP tool. The @server.tool() decorator is applied twice (lines 86-87) to expose this function as a tool in the MCP server.
    @server.tool()
@server.tool()
  • gti_mcp/utils.py:87-116 (helper)
    Helper function fetch_object_relationships that handles the actual API call to retrieve relationships from VirusTotal. It constructs the API endpoint based on whether descriptors_only is True or False, uses asyncio.TaskGroup to fetch relationships concurrently, consumes the VT iterator, removes aggregations from attributes, and returns the data in a structured format.
    async def fetch_object_relationships(
    vt_client: vt.Client,
    resource_collection_type: str,
    resource_id: str,
    relationships: typing.List[str],
    params: dict[str, typing.Any] | None = None,
    descriptors_only: bool = True,
    limit: int = 10):
  """Fetches the given relationships descriptors from the given object."""
  rel_futures = {}
  # If true, returns descriptors instead of full objects.
  descriptors = '/relationship' if descriptors_only else ''
  async with asyncio.TaskGroup() as tg:
    for rel_name in relationships:
      rel_futures[rel_name] = tg.create_task(
          consume_vt_iterator(
              vt_client,
              f"/{resource_collection_type}/{resource_id}"
              f"{descriptors}/{rel_name}", params=params, limit=limit))

  data = {}
  for name, items in rel_futures.items():
    data[name] = []
    for obj in items.result():
      obj_dict = obj.to_dict()
      if 'aggregations' in obj_dict['attributes']:
        del obj_dict['attributes']['aggregations']
      data[name].append(obj_dict)

  return data

Tool Definition Quality

A3.9/5.0
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden. It effectively discloses key behavioral traits: it lists all available relationships with descriptions and return types, explains the 'descriptors_only' parameter's effect and its critical constraint for 'attack_techniques,' and notes default values and limits. This provides clear operational context beyond basic input/output.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness3/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is front-loaded with the core purpose, but includes a lengthy table and detailed notes that, while informative, could be more streamlined. Every sentence earns its place by clarifying parameters or relationships, but the structure is somewhat dense with mixed formatting (table, notes, Args/Returns sections).

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a tool with 5 parameters, 0% schema coverage, no annotations, but an output schema, the description is largely complete. It covers purpose, parameters, relationships, and behavioral constraints. The output schema handles return values, so the description's focus on input semantics is appropriate. Minor gaps include lack of error handling or pagination details.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Given 0% schema description coverage, the description compensates fully by explaining all parameters: 'id' as collection identifier, 'relationship_name' with a detailed table of options, 'limit' with its default and purpose, and 'descriptors_only' with its boolean nature, default, and critical constraint. This adds essential meaning beyond the bare schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Retrieve entities related to the given collection ID.' It specifies the verb 'retrieve' and resource 'entities related to collection,' but doesn't explicitly differentiate from sibling tools like 'get_entities_related_to_a_domain' or 'get_entities_related_to_a_file,' which follow the same pattern for different resource types.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage by listing available relationships in a table, suggesting when to use this tool for fetching specific entity types. However, it doesn't explicitly state when to choose this tool over alternatives like 'get_collection_report' or 'get_collection_mitre_tree,' nor does it mention prerequisites or exclusions beyond the 'descriptors_only' constraint for 'attack_techniques.'

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/googleSandy/gti-mcp-standalone'

If you have feedback or need assistance with the MCP directory API, please join our Discord server