Skip to main content
Glama
jmaciasc-google

Google Threat Intelligence MCP Server

get_threat_profile

Retrieve a comprehensive threat profile by its identifier, including interests, aliases, targeted industries, and regions to support security investigations.

Instructions

Get Threat Profile object.

A threat profile object contains the following attributes:

  • enable_recommendations (bool): whether or not Recommendations automatically generated by our ML are enabled.

  • interests (dict): Threat Profile's configured interests such as industries, target regions, source regions, malware roles and actor motivations to recommend the most relevant threats.

    • INTEREST_TYPE_TARGETED_INDUSTRY (list[str]): List of targeted industries.

    • INTEREST_TYPE_TARGETED_REGION (list[str]): list of targeted regions (ISO-3166 country code).

    • INTEREST_TYPE_SOURCE_REGION (list[str]): list of source regions (ISO-3166 country code).

    • INTEREST_TYPE_MALWARE_ROLE (list[str]): list of malware roles.

    • INTEREST_TYPE_ACTOR_MOTIVATION: (list[str]): list of threat actors motivations.

  • last_modification_date: Threat Profile's last modification date (UTC timestamp).

  • name (str): Threat Profile's name.

  • creation_date (int): Threat Profile's creation date (UTC timestamp).

  • aliases (list[str]): alternative names by which the threat actor is known.

  • description (str): description / context about the threat actor.

  • first_seen_date (int): estimated threat actor's first seen date of activity (UTC timestamp).

  • last_seen_date (int): estimated threat actor's last seen date of activity (UTC timestamp).

  • last_modification_date (int): last time when the threat actor was updated (UTC timestamp).

  • related_entities_count (int): estimated number of related IOCs to the threat actor.

  • source_region (str): threat actor's source region.

  • sponsor_region (str): region sponsoring the threat actor.

  • targeted_industries (list[str]): list of industries the threat actor has targeted.

  • targeted_regions (list[str]): list of regions the threat actor has targeted.

Args: profile_id (str): Threat Profile identifier at Google Threat Intelligence.

Returns: Threat Profile object.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
profile_idYes

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations are absent, so the description carries the full burden. It does not disclose whether the operation is read-only, any authentication needs, rate limits, or side effects. While 'Get' implies idempotency, the description lacks explicit behavioral context beyond listing attributes.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness3/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is structured with sections (Args, Returns) and bullet points, but it is lengthy and includes many attribute details that could be moved to the output schema. It front-loads the purpose, but the attribute list adds verbosity without earning its place given the existence of an output schema.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a simple get operation with one parameter, the description covers the return object comprehensively. However, it omits error conditions, access requirements, or pagination. Given that an output schema exists, the description adds value by explaining the attributes, making it fairly complete.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 0% schema description coverage, the description fully compensates by providing a clear explanation of 'profile_id': 'Threat Profile identifier at Google Threat Intelligence'. This adds meaningful context beyond the schema's bare title.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states 'Get Threat Profile object' and lists its attributes. It specifies the required parameter (profile_id), differentiating it from siblings like 'list_threat_profiles' which lists all profiles. The purpose is specific and unambiguous.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No explicit guidance on when to use this tool versus alternatives such as 'list_threat_profiles', 'get_threat_profile_associations_timeline', or 'get_threat_profile_recommendations'. The context does not indicate any prerequisites or exclusions.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jmaciasc-google/gti-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server