Google Threat Intelligence MCP Server

get_entities_related_to_a_domain

Retrieve threat intelligence entities associated with a domain, including malware families, campaigns, vulnerabilities, and DNS records, by specifying a relationship type.

Instructions

Retrieve entities related to the the given domain.

The following table shows a summary of available relationships for domain objects.

Relationship	Description	Return type
associations	Domain's associated objects (reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors), without filtering by the associated object type.	Everyone.	List of reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors objecs.	collection
caa_records	Records CAA for the domain.	domain
campaigns	Campaigns associated to the domain.	collection
cname_records	Records CNAME for the domain.	domain
collections	IoC Collections associated to the domain.	collection
comments	Community posted comments about the domain.	comment
communicating_files	Files that communicate with the domain.	file
downloaded_files	Files downloaded from that domain.	file
graphs	Graphs including the domain.	graph
historical_ssl_certificates	SSL certificates associated with the domain.	ssl-cert
historical_whois	WHOIS information for the domain.	whois
immediate_parent	Domain's immediate parent.	domain
malware_families	Malware families associated to the domain.	collection
memory_pattern_parents	Files having a domain as string on memory during sandbox execution.	file
mx_records	Records MX for the domain.	domain
ns_records	Records NS for the domain.	domain
parent	Domain's top parent.	domain
referrer_files	Files containing the domain.	file
related_comments	Community posted comments in the domain's related objects.	comment
related_reports	Reports that are directly and indirectly related to the domain.	collection
related_threat_actors	Threat actors related to the domain.	collection
reports	Reports directly associated to the domain.	collection
resolutions	DNS resolutions for the domain.	resolution
siblings	Domain's sibling domains.	domain
soa_records	Records SOA for the domain.	domain
software_toolkits	Software and Toolkits associated to the domain.	collection
subdomains	Domain's subdomains.	domain
urls	URLs having this domain.	url
user_votes	Current user's votes.	vote
votes	Domain's votes.	vote
vulnerabilities	Vulnerabilities associated to the domain.	collection

Args: domain (required): Domain to analyse. relationship_name (required): Relationship name. descriptors_only (required): Bool. Must be True when the target object type is one of file, domain, url, ip_address or collection. limit: Limit the number of entities to retrieve. 10 by default. Returns: List of entities related to the domain.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`domain`	Yes
`relationship_name`	Yes
`descriptors_only`	Yes
`limit`	No
`api_key`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

gti_mcp/tools/netloc.py:111-174 (handler)

Handler function for the 'get_entities_related_to_a_domain' tool. Retrieves entities related to a domain via VirusTotal API relationships. Validates relationship_name against DOMAIN_RELATIONSHIPS, then calls utils.fetch_object_relationships and sanitizes the response.

@server.tool()
async def get_entities_related_to_a_domain(
    domain: str, relationship_name: str, descriptors_only: bool, ctx: Context, limit: int = 10, api_key: str = None
) -> list[dict[str, typing.Any]]:
  """Retrieve entities related to the the given domain.

    The following table shows a summary of available relationships for domain objects.

    | Relationship                | Description                                                | Return type  |
    | --------------------------- | ---------------------------------------------------------- | ------------ |
    | associations                | Domain's associated objects (reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors), without filtering by the associated object type.                                                             | Everyone. | List of [reports](ref:report-object), [campaigns](ref:campaign-object), [IoC collections](ref:ioc-collection-object), [malware families](ref:malware-family-object), [software toolkits](ref:software-toolkit-object), [vulnerabilities](ref:vulnerability-object), [threat-actors](ref:threat-actor-object) objecs.| collection |
    | caa_records                 | Records CAA for the domain.                                | domain       |
    | campaigns                   | Campaigns associated to the domain.                        | collection   |
    | cname_records               | Records CNAME for the domain.                              | domain       |
    | collections                 | IoC Collections associated to the domain.                  | collection   |
    | comments                    | Community posted comments about the domain.                | comment      |
    | communicating_files         | Files that communicate with the domain.                    | file         |
    | downloaded_files            | Files downloaded from that domain.                         | file         |
    | graphs                      | Graphs including the domain.                               | graph        |
    | historical_ssl_certificates | SSL certificates associated with the domain.               | ssl-cert     |
    | historical_whois            | WHOIS information for the domain.                          | whois        |
    | immediate_parent            | Domain's immediate parent.                                 | domain       |
    | malware_families            | Malware families associated to the domain.                 | collection   |
    | memory_pattern_parents      | Files having a domain as string on memory during sandbox execution. | file |
    | mx_records                  | Records MX for the domain.                                 | domain       |
    | ns_records                  | Records NS for the domain.                                 | domain       |
    | parent                      | Domain's top parent.                                       | domain       |
    | referrer_files              | Files containing the domain.                               | file         |
    | related_comments            | Community posted comments in the domain's related objects. | comment      |
    | related_reports             | Reports that are directly and indirectly related to the domain. | collection |
    | related_threat_actors       | Threat actors related to the domain.                       | collection   |
    | reports                     | Reports directly associated to the domain.                 | collection   |
    | resolutions                 | DNS resolutions for the domain.                            | resolution   |
    | siblings                    | Domain's sibling domains.                                  | domain       |
    | soa_records                 | Records SOA for the domain.                                | domain       |
    | software_toolkits           | Software and Toolkits associated to the domain.            | collection   |
    | subdomains                  | Domain's subdomains.                                       | domain       |
    | urls                        | URLs having this domain.                                   | url          |
    | user_votes                  | Current user's votes.                                      | vote         |
    | votes                       | Domain's votes.                                            | vote         |
    | vulnerabilities             | Vulnerabilities associated to the domain.                  | collection   |

    Args:
      domain (required): Domain to analyse.
      relationship_name (required): Relationship name.
      descriptors_only (required): Bool. Must be True when the target object type is one of file, domain, url, ip_address or collection.
      limit: Limit the number of entities to retrieve. 10 by default.
    Returns:
      List of entities related to the domain.
  """
  if not relationship_name in DOMAIN_RELATIONSHIPS:
    return {
       "error": f"Relationship {relationship_name} does not exist. "
                f"Available relationships are: {','.join(DOMAIN_RELATIONSHIPS)}"
    }

  async with vt_client(ctx) as client:
    res = await utils.fetch_object_relationships(
        client, 
        "domains", domain, 
        relationships=[relationship_name],
        descriptors_only=descriptors_only,
        limit=limit)
  return utils.sanitize_response(res.get(relationship_name, []))

gti_mcp/tools/netloc.py:22-54 (schema)

DOMAIN_RELATIONSHIPS list defining all valid relationship names for domain objects, used for validation in the tool handler.

DOMAIN_RELATIONSHIPS = [
    "associations",
    "caa_records",
    "campaigns",
    "cname_records",
    "collections",
    "comments",
    "communicating_files",
    "downloaded_files",
    "graphs",
    "historical_ssl_certificates",
    "historical_whois",
    "immediate_parent",
    "malware_families",
    "memory_pattern_parents",
    "mx_records",
    "ns_records",
    "parent",
    "referrer_files",
    "related_comments",
    "related_reports",
    "related_threat_actors",
    "reports",
    "resolutions",
    "siblings",
    "soa_records",
    "software_toolkits",
    "subdomains",
    "urls",
    "user_votes",
    "votes",
    "vulnerabilities",
]

gti_mcp/tools/netloc.py:111-174 (registration)

Tool registration via @server.tool() decorator on the get_entities_related_to_a_domain function, making it discoverable by the MCP server.

@server.tool()
async def get_entities_related_to_a_domain(
    domain: str, relationship_name: str, descriptors_only: bool, ctx: Context, limit: int = 10, api_key: str = None
) -> list[dict[str, typing.Any]]:
  """Retrieve entities related to the the given domain.

    The following table shows a summary of available relationships for domain objects.

    | Relationship                | Description                                                | Return type  |
    | --------------------------- | ---------------------------------------------------------- | ------------ |
    | associations                | Domain's associated objects (reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors), without filtering by the associated object type.                                                             | Everyone. | List of [reports](ref:report-object), [campaigns](ref:campaign-object), [IoC collections](ref:ioc-collection-object), [malware families](ref:malware-family-object), [software toolkits](ref:software-toolkit-object), [vulnerabilities](ref:vulnerability-object), [threat-actors](ref:threat-actor-object) objecs.| collection |
    | caa_records                 | Records CAA for the domain.                                | domain       |
    | campaigns                   | Campaigns associated to the domain.                        | collection   |
    | cname_records               | Records CNAME for the domain.                              | domain       |
    | collections                 | IoC Collections associated to the domain.                  | collection   |
    | comments                    | Community posted comments about the domain.                | comment      |
    | communicating_files         | Files that communicate with the domain.                    | file         |
    | downloaded_files            | Files downloaded from that domain.                         | file         |
    | graphs                      | Graphs including the domain.                               | graph        |
    | historical_ssl_certificates | SSL certificates associated with the domain.               | ssl-cert     |
    | historical_whois            | WHOIS information for the domain.                          | whois        |
    | immediate_parent            | Domain's immediate parent.                                 | domain       |
    | malware_families            | Malware families associated to the domain.                 | collection   |
    | memory_pattern_parents      | Files having a domain as string on memory during sandbox execution. | file |
    | mx_records                  | Records MX for the domain.                                 | domain       |
    | ns_records                  | Records NS for the domain.                                 | domain       |
    | parent                      | Domain's top parent.                                       | domain       |
    | referrer_files              | Files containing the domain.                               | file         |
    | related_comments            | Community posted comments in the domain's related objects. | comment      |
    | related_reports             | Reports that are directly and indirectly related to the domain. | collection |
    | related_threat_actors       | Threat actors related to the domain.                       | collection   |
    | reports                     | Reports directly associated to the domain.                 | collection   |
    | resolutions                 | DNS resolutions for the domain.                            | resolution   |
    | siblings                    | Domain's sibling domains.                                  | domain       |
    | soa_records                 | Records SOA for the domain.                                | domain       |
    | software_toolkits           | Software and Toolkits associated to the domain.            | collection   |
    | subdomains                  | Domain's subdomains.                                       | domain       |
    | urls                        | URLs having this domain.                                   | url          |
    | user_votes                  | Current user's votes.                                      | vote         |
    | votes                       | Domain's votes.                                            | vote         |
    | vulnerabilities             | Vulnerabilities associated to the domain.                  | collection   |

    Args:
      domain (required): Domain to analyse.
      relationship_name (required): Relationship name.
      descriptors_only (required): Bool. Must be True when the target object type is one of file, domain, url, ip_address or collection.
      limit: Limit the number of entities to retrieve. 10 by default.
    Returns:
      List of entities related to the domain.
  """
  if not relationship_name in DOMAIN_RELATIONSHIPS:
    return {
       "error": f"Relationship {relationship_name} does not exist. "
                f"Available relationships are: {','.join(DOMAIN_RELATIONSHIPS)}"
    }

  async with vt_client(ctx) as client:
    res = await utils.fetch_object_relationships(
        client, 
        "domains", domain, 
        relationships=[relationship_name],
        descriptors_only=descriptors_only,
        limit=limit)
  return utils.sanitize_response(res.get(relationship_name, []))

gti_mcp/utils.py:87-116 (helper)

fetch_object_relationships helper function that fetches relationship descriptors/objects from VirusTotal API using async task groups.

async def fetch_object_relationships(
    vt_client: vt.Client,
    resource_collection_type: str,
    resource_id: str,
    relationships: typing.List[str],
    params: dict[str, typing.Any] | None = None,
    descriptors_only: bool = True,
    limit: int = 10):
  """Fetches the given relationships descriptors from the given object."""
  rel_futures = {}
  # If true, returns descriptors instead of full objects.
  descriptors = '/relationship' if descriptors_only else ''
  async with asyncio.TaskGroup() as tg:
    for rel_name in relationships:
      rel_futures[rel_name] = tg.create_task(
          consume_vt_iterator(
              vt_client,
              f"/{resource_collection_type}/{resource_id}"
              f"{descriptors}/{rel_name}", params=params, limit=limit))

  data = {}
  for name, items in rel_futures.items():
    data[name] = []
    for obj in items.result():
      obj_dict = obj.to_dict()
      if 'aggregations' in obj_dict['attributes']:
        del obj_dict['attributes']['aggregations']
      data[name].append(obj_dict)

  return data

gti_mcp/utils.py:20-26 (helper)

consume_vt_iterator helper that consumes a vt.Iterator to paginate through API results.

async def consume_vt_iterator(
    vt_client: vt.Client, endpoint: str, params: dict | None = None, limit: int = 10):
  """Consumes a vt.Iterator iterator and return the list of objects."""
  res = []
  async for obj in vt_client.iterator(endpoint, params=params, limit=limit):
    res.append(obj)
  return res

Tool Definition Quality

A3.9/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

The description discloses key behaviors: required parameters (domain, relationship_name, descriptors_only), a constraint (descriptors_only must be True for certain object types), and the default limit. The table explains return types for each relationship. Since no annotations are provided, the description carries the full burden and does so well, though it omits pagination or error behavior.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is front-loaded with a clear one-sentence purpose. The table is well-organized but lengthy; it is justified given the many relationship types. The Args section is cleanly separated. While not extremely concise, the structure serves the tool's complexity well.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the 5 parameters and output schema, the description covers the relationship_name parameter in depth, explains required params and constraints, and mentions default limit. It omits api_key and pagination details, but the output schema exists. Overall, it is mostly complete for a retrieval tool.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 0% schema description coverage, the description compensates by listing and explaining most parameters in the Args section. The table exhaustively documents valid values for relationship_name and their return types. However, the api_key parameter is missing from the Args section, leaving it undocumented.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description starts with 'Retrieve entities related to the given domain,' clearly stating the verb and resource. The extensive table further specifies what entities (e.g., reports, files, subdomains) are retrieved, making the purpose explicit and differentiating it from sibling tools by object type.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No explicit guidance on when to use this tool versus the many sibling tools (e.g., get_entities_related_to_a_collection). The description does not mention prerequisites, when-not-to-use, or alternatives. The table lists relationships but does not help the agent choose among them.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/googleSandy/gti-mcp-standalone'

If you have feedback or need assistance with the MCP directory API, please join our Discord server