Google Threat Intelligence MCP Server

get_entities_related_to_a_file

Retrieve related entities for a file hash by specifying a relationship type, such as dropped files, contacted domains, or associated malware families.

Instructions

Retrieve entities related to the the given file hash.

The following table shows a summary of available relationships for file objects.

Relationship	Description	Return type
analyses	Analyses for the file	analysis
associations	File's associated objects (reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors), without filtering by the associated object type.	collection
behaviours	Behaviour reports for the file.	file-behaviour
attack_techniques	Returns the Attack Techniques of the File.	attack_technique
bundled_files	Files bundled within the file.	file
campaigns	Campaigns associated to the file.	collection
carbonblack_children	Files derived from the file according to Carbon Black.	file
carbonblack_parents	Files from where the file was derived according to Carbon Black.	file
collections	IoC Collections associated to the file.	collection
comments	Comments for the file.	comment
compressed_parents	Compressed files that contain the file.	file
contacted_domains	Domains contacted by the file.	domain
contacted_ips	IP addresses contacted by the file.	ip_address
contacted_urls	URLs contacted by the file.	url
dropped_files	Files dropped by the file during its execution.	file
email_attachments	Files attached to the email.	file
email_parents	Email files that contained the file.	file
embedded_domains	Domain names embedded in the file.	domain
embedded_ips	IP addresses embedded in the file.	ip_address
embedded_urls	URLs embedded in the file.	url
execution_parents	Files that executed the file.	file
graphs	Graphs that include the file.	graph
itw_domains	In the wild domain names from where the file has been downloaded.	domain
itw_ips	In the wild IP addresses from where the file has been downloaded.	ip_address
itw_urls	In the wild URLs from where the file has been downloaded.	url
malware_families	Malware families associated to the file.	collection
memory_pattern_domains	Domain string patterns found in memory during sandbox execution.	domain
memory_pattern_ips	IP address string patterns found in memory during sandbox execution.	ip_address
memory_pattern_urls	URL string patterns found in memory during sandbox execution.	url
overlay_children	Files contained by the file as an overlay.	file
overlay_parents	File that contain the file as an overlay.	file
pcap_children	Files contained within the PCAP file.	file
pcap_parents	PCAP files that contain the file.	file
pe_resource_children	Files contained by a PE file as a resource.	file
pe_resource_parents	PE files containing the file as a resource.	file
related_attack_techniques	Returns the Attack Techniques of the Collections containing this File.	attack_technique
related_reports	Reports that are directly and indirectly related to the file.	collection
related_threat_actors	File's related threat actors.	collection
reports	Reports directly associated to the file.	collection
screenshots	Screenshots related to the sandbox execution of the file.	screenshot
similar_files	Files that are similar to the file.	file
software_toolkits	Software and Toolkits associated to the file.	collection
submissions	Submissions for the file.	submission
urls_for_embedded_js	URLs where this (JS) file is embedded.	url
user_votes	File's votes made by current signed-in user.	vote
votes	Votes for the file.	vote
vulnerabilities	Vulnerabilities associated to the file.	collection

Args: hash (required): MD5/SHA1/SHA256) hash that identifies the file. relationship_name (required): Relationship name. descriptors_only (required): Bool. Must be True when the target object type is one of file, domain, url, ip_address or collection. limit: Limit the number of files to retrieve. 10 by default. Returns: List of objects related to the given file.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`hash`	Yes
`relationship_name`	Yes
`descriptors_only`	Yes
`limit`	No
`api_key`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Tool Definition Quality

A4.2/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries full burden. It discloses return type ('list of objects'), required parameters, the condition that descriptors_only must be True for certain types, and default limit. However, it lacks details on performance, error handling, or auth requirements.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is front-loaded with a clear purpose, followed by a necessary but lengthy table. While dense, every section adds value, and the structure is logical. Slight reduction in verbosity could be possible but not excessive.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (many relationship types, required params), the description is fairly complete. It covers all relationships, parameters, and usage notes. However, it lacks information on pagination, error cases, or rate limits. An output schema exists, reducing need for return value details.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 0% schema description coverage, the description fully compensates by explaining hash as file hash, providing a detailed table of valid relationship_name values, clarifying descriptors_only requirement, and noting the default limit of 10. The api_key parameter is not documented but likely self-explanatory.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states 'Retrieve entities related to the given file hash' and provides a comprehensive table of relationships, making the purpose specific and distinct from sibling tools like get_entities_related_to_a_domain.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage for retrieving related entities based on a file hash, but lacks explicit guidance on when to use this tool versus alternatives like get_file_report, and does not discuss exclusions or prerequisites beyond required parameters.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/googleSandy/gti-mcp-standalone'

If you have feedback or need assistance with the MCP directory API, please join our Discord server