Google Threat Intelligence MCP Server

get_hunting_ruleset

Retrieve a hunting ruleset from Google Threat Intelligence to access YARA rules for threat detection and analysis.

Instructions

Get a Hunting Ruleset object from Google Threat Intelligence.

A Hunting Ruleset object describes a user's hunting ruleset. It may contain multiple Yara rules.

The content of the Yara rules is in the rules attribute.

Some important object attributes:

creation_date: creation date as UTC timestamp.
modification_date (int): last modification date as UTC timestamp.
name (str): ruleset name.
rule_names (list[str]): contains the names of all rules in the ruleset.
number_of_rules (int): number of rules in the ruleset.
rules (str): rule file contents.
tags (list[str]): ruleset's custom tags.

Args: ruleset_id (required): Hunting ruleset identifier.

Returns: Hunting Ruleset object.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`ruleset_id`	Yes
`api_key`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

gti_mcp/tools/intelligence.py:72-103 (handler)

The main handler function get_hunting_ruleset decorated with @server.tool(). It takes a ruleset_id parameter, Context, and optional api_key, uses utils.fetch_object to retrieve the hunting ruleset from the VirusTotal API endpoint '/intelligence/hunting_rulesets/{ruleset_id}', and returns the sanitized response.

@server.tool()
async def get_hunting_ruleset(ruleset_id: str, ctx: Context, api_key: str = None) -> typing.Dict[str, typing.Any]:
  """Get a Hunting Ruleset object from Google Threat Intelligence.

  A Hunting Ruleset object describes a user's hunting ruleset. It may contain multiple
  Yara rules. 

  The content of the Yara rules is in the `rules` attribute.

  Some important object attributes:
    - creation_date: creation date as UTC timestamp.
    - modification_date (int): last modification date as UTC timestamp.
    - name (str): ruleset name.
    - rule_names (list[str]): contains the names of all rules in the ruleset.
    - number_of_rules (int): number of rules in the ruleset.
    - rules (str): rule file contents.
    - tags (list[str]): ruleset's custom tags.
    
  Args:
    ruleset_id (required): Hunting ruleset identifier.

  Returns:
    Hunting Ruleset object.
  """
  async with vt_client(ctx, api_key=api_key) as client:
    res = await utils.fetch_object(
        client,
        "intelligence/hunting_rulesets",
        "hunting_ruleset",
        ruleset_id,
    )
  return utils.sanitize_response(res)

gti_mcp/utils.py:29-84 (helper)

The fetch_object helper function used by get_hunting_ruleset to fetch objects from the Google Threat Intelligence API. It handles API errors, builds the request with optional attributes and relationships, and returns the object as a dictionary.

async def fetch_object(
    vt_client: vt.Client,
    resource_collection_type: str,
    resource_type: str,
    resource_id: str,
    attributes: list[str] | None = None,
    relationships: list[str] | None = None,
    params: dict[str, typing.Any] | None = None):
  """Fetches objects from Google Threat Intelligence API."""
  logging.info(
      f"Fetching comprehensive {resource_collection_type} "
      f"report for id: {resource_id}")
  
  params = {k: v for k, v in params.items()} if params else {}

  # Retrieve a selection of object attributes and/or relationships.
  if attributes:
    params["attributes"] = ",".join(attributes)
  if relationships:
    params["relationships"] = ",".join(relationships)

  try:
    obj = await vt_client.get_object_async(
        f"/{resource_collection_type}/{resource_id}", params=params)

    if obj.error:
      logging.error(
          f"Error fetching main {resource_type} report for {resource_id}: {obj.error}"
      )
      return {
          "error": f"Failed to get main {resource_type} report: {obj.error}",
          # "details": report.get("details"),
      }
  except vt.error.APIError as e:
    logging.warning(
        f"VirusTotal API Error fetching {resource_type} {resource_id}: {e.code} - {e.message}"
    )
    return {
        "error": f"VirusTotal API Error: {e.code} - {e.message}",
        "details": f"The requested {resource_type} '{resource_id}' could not be found or there was an issue with the API request."
    }
  except Exception as e:
    logging.exception(
        f"Unexpected error fetching {resource_type} {resource_id}: {e}"
    )
    return {"error": "An unexpected internal error occurred."}

  # Build response.
  obj_dict = obj.to_dict()
  obj_dict['id'] = obj.id
  if 'aggregations' in obj_dict['attributes']:
    del obj_dict['attributes']['aggregations']

  logging.info(
      f"Successfully generated concise threat summary for id: {resource_id}")
  return obj_dict

gti_mcp/utils.py:119-138 (helper)

The sanitize_response helper function used by get_hunting_ruleset to recursively remove empty dictionaries and lists from the API response.

def sanitize_response(data: typing.Any) -> typing.Any:
  """Removes empty dictionaries and lists recursively from a response."""
  if isinstance(data, dict):
    sanitized_dict = {}
    for key, value in data.items():
      sanitized_value = sanitize_response(value)
      if sanitized_value is not None:
        sanitized_dict[key] = sanitized_value
    return sanitized_dict
  elif isinstance(data, list):
    sanitized_list = []
    for item in data:
      sanitized_item = sanitize_response(item)
      if sanitized_item is not None:
        sanitized_list.append(sanitized_item)
    return sanitized_list
  elif isinstance(data, str):
    return data if data else None
  else:
    return data

gti_mcp/server.py:67-73 (registration)
Creates the FastMCP server instance and imports all tools (including get_hunting_ruleset) via 'from gti_mcp.tools import *', which registers all @server.tool() decorated functions.
```
server = FastMCP(
    "Google Threat Intelligence MCP server",
    dependencies=["vt-py"],
    stateless_http=stateless)

# Load tools.
from gti_mcp.tools import *
```
gti_mcp/tools/__init__.py:14-19 (registration)
The tools module init file that imports from all tool modules including 'from .intelligence import *', exposing the get_hunting_ruleset function for registration when the tools package is imported.
```
from .collections import *
from .files import *
from .intelligence import *
from .netloc import *
from .threat_profiles import *
from .urls import *
```

Tool Definition Quality

C2.9/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It describes the returned object structure but lacks critical behavioral details: authentication requirements (api_key parameter is undocumented), rate limits, error conditions, or whether this is a read-only operation. The description adds some context about object attributes but misses key operational aspects.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured with clear sections: purpose statement, object explanation, attribute details, and parameter/return documentation. It's appropriately sized but could be more front-loaded; the detailed attribute list might be better placed after the core purpose. Most sentences earn their place by adding useful information.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool has an output schema (which handles return values) but no annotations and poor schema coverage, the description is moderately complete. It explains the purpose and return object structure adequately but lacks behavioral context and full parameter documentation. For a retrieval tool with authentication parameters, more guidance on usage and behavior would be beneficial.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, so the description must compensate. It documents the required ruleset_id parameter in the Args section, explaining it's a 'Hunting ruleset identifier.' However, it completely ignores the api_key parameter mentioned in the schema, leaving its purpose and usage unexplained. The description adds some value but doesn't fully compensate for the schema coverage gap.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool retrieves a Hunting Ruleset object from Google Threat Intelligence, specifying it contains Yara rules. It distinguishes from siblings by focusing on rulesets rather than collections, files, or other entities. However, it doesn't explicitly differentiate from similar 'get' tools like get_collection_rules.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No explicit guidance on when to use this tool versus alternatives is provided. While the description implies it's for retrieving specific rulesets, it doesn't mention prerequisites, when not to use it, or compare it to sibling tools like get_collection_rules or get_entities_related_to_a_hunting_ruleset.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/googleSandy/gti-mcp-standalone'

If you have feedback or need assistance with the MCP directory API, please join our Discord server