Skip to main content
Glama
imouiche

MITRE ATT&CK MCP Server

by imouiche

get_groups_using_software

Retrieve all APT groups that use a specific software by providing its STIX ID. Supports reverse lookup across ATT&CK domains with optional descriptions.

Instructions

Get all APT groups (intrusion sets) that use a specific software/malware.

This is a reverse lookup: Software → Groups.
It follows 'uses' relationships from a software STIX ID (tool/malware)
to intrusion sets.

Args:
    software_stix_id: STIX ID of the software object
                      (e.g., "malware--UUID", "tool--UUID").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include group descriptions.

Returns:
    {
      "software": {
          "attack_id": "SXXXX or similar" | null,
          "name": "<software name or null>",
          "stix_id": "<software STIX ID>",
          "type": "<tool|malware|...> or null",
          "description": "<text or null>",
      } | null,

      "count": <number of groups>,

      "groups": [
        {
          "attack_id": "GXXXX" | null,
          "name": "<group name>",
          "aliases": [...],
          "stix_id": "<intrusion-set--UUID>",
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "uses",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],

      "formatted": "<human-readable list of groups>",
      "message": "<status summary>"
    }

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
domainNoenterprise
software_stix_idYes
include_descriptionNo

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries full responsibility. It details the return format and relationships covered ('uses'), but does not mention behavioral traits such as read-only nature, permission requirements, or side effects. The detailed output schema partly mitigates this, but explicit safety or behavioral notes are missing.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured with clear sections (Args, Returns). While the inclusion of the entire output schema is helpful, it makes the description somewhat lengthy. The first paragraph is concise and front-loaded with the core purpose.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given that an output schema is provided within the description, the tool is fairly complete: it covers input parameters, return structure, and the relationship direction. However, it omits discussion of prerequisites, error handling, or edge cases (e.g., no groups found), which would enhance completeness.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has only titles and defaults, with no parameter descriptions. The description's 'Args' section adds crucial meaning: it explains that software_stix_id expects a UUID with a specific prefix, domain lists valid options, and include_description clarifies its boolean purpose. This fully compensates for the schema's lack of descriptions.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states 'Get all APT groups (intrusion sets) that use a specific software/malware' and identifies it as a 'reverse lookup: Software → Groups'. The verb is specific, the resource is well-defined, and the direction distinguishes it from siblings like get_groups_using_technique or get_software_used_by_group.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explains the reverse lookup direction, which implicitly guides when to use this tool (when you have a software and want groups). However, it does not explicitly state when not to use it or compare to alternatives like get_software_used_by_group, which serves the opposite direction.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/imouiche/complete-mitre-attack-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server