Google Threat Intelligence MCP Server

Instructions

Implementation Reference

• gti_mcp/tools/collections.py:313-333 (handler)

  The main handler function search_software_toolkits decorated with @server.tool() for registration. It accepts query, ctx, limit, order_by, and api_key parameters, and delegates to _search_threats_by_collection_type with collection_type hardcoded as 'software-toolkit'

  @server.tool()
  async def search_software_toolkits(
      query: str, ctx: Context, limit: int = 10, order_by: str = "relevance-", api_key: str = None
  ) -> typing.List[typing.Dict[str, typing.Any]]:
    """Search software toolkits (or just tools) in the Google Threat Intelligence platform.
  
    Software toolkits are modeled as collections. Once you get collections from this tool, you can use `get_collection_report` to fetch the full reports and their relationships.
  
    You can use order_by to sort the results by: "relevance", "creation_date". You can use the sign "+" to make it order ascending, or "-" to make it descending. By default is "relevance-"
  
    Args:
      query (required): Search query to find threats.
      limit: Limit the number of threats to retrieve. 10 by default.
      order_by: Order results by the given order key. "relevance-" by default.
  
    Returns:
      List of collections, aka threats.
    """
    res = await _search_threats_by_collection_type(
        query, "software-toolkit", ctx, limit, order_by, api_key=api_key)
    return res

• gti_mcp/tools/collections.py:140-175 (helper)

  Helper function _search_threats_by_collection_type that handles the core logic for searching threats by collection type. It validates the collection_type, makes API calls via vt_client, and returns sanitized results using utils.sanitize_response

  async def _search_threats_by_collection_type(
      query: str,
      collection_type: str,
      ctx: Context,
      limit: int = 10,
      order_by: str = "relevance-",
      api_key: str = None,
  ) -> typing.List[typing.Dict[str, typing.Any]]:
    """Search a given threat type in the Google Threat Intelligence platform,
  
    Args:
      query (required): Search query to find threats. If you want any threat, just pass an empty string.
      collection_type (required): Collection type. One of: "threat-actor", "malware-family", "campaign", "report", "vulnerability", "collection".
      limit: Limit the number of threats to retrieve. 10 by default.
      order_by: Order results by the given order key. "relevance-" by default.
  
    Returns:
      List of collections, aka threats.
    """
    if collection_type not in COLLECTION_TYPES:
        raise ValueError(
            f"wrong collection_type. Available collection_type are: {','.join(COLLECTION_TYPES)} ")
  
    async with vt_client(ctx, api_key=api_key) as client:
      res = await utils.consume_vt_iterator(
          client,
          "/collections",
          params={
              "filter": f"collection_type:{collection_type} {query}",
              "order": order_by,
              "relationships": COLLECTION_KEY_RELATIONSHIPS,
              "exclude_attributes": COLLECTION_EXCLUDED_ATTRS,
          },
          limit=limit,
      )
    return utils.sanitize_response([o.to_dict() for o in res])

• gti_mcp/tools/collections.py:46-54 (schema)

  Collection type schema definition (COLLECTION_TYPES set) that defines valid collection types including 'software-toolkit' which is used by search_software_toolkits

  COLLECTION_TYPES = {
      "threat-actor",
      "malware-family",
      "campaign",
      "report",
      "software-toolkit",
      "vulnerability",
      "collection",
  }

• gti_mcp/tools/collections.py:313-313 (registration)

  Tool registration via @server.tool() decorator on the search_software_toolkits function

  @server.tool()