Google Threat Intelligence MCP server
Project description
Google Threat Intelligence MCP Server
This is an MCP (Model Context Protocol) server for interacting with Google's Threat Intelligence suite. MCP Info
Features
Collections (Threats)
get_collection_report(id): Retrieves a specific collection report by its ID (e.g.,report--<hash>,threat-actor--<hash>).get_entities_related_to_a_collection(id, relationship_name, limit=10): Gets related entities (domains, files, IPs, URLs, other collections) for a given collection ID.search_threats(query, limit=5, order_by="relevance-"): Performs a general search for threats (collections) using GTI query syntax.search_campaigns(query, limit=10, order_by="relevance-"): Searches specifically for collections of typecampaign.search_threat_actors(query, limit=10, order_by="relevance-"): Searches specifically for collections of typethreat-actor.search_malware_families(query, limit=10, order_by="relevance-"): Searches specifically for collections of typemalware-family.search_software_toolkits(query, limit=10, order_by="relevance-"): Searches specifically for collections of typesoftware-toolkit.search_threat_reports(query, limit=10, order_by="relevance-"): Searches specifically for collections of typereport.search_vulnerabilities(query, limit=10, order_by="relevance-"): Searches specifically for collections of typevulnerability.get_collection_timeline_events(id): Retrieves curated timeline events for a collection.
Files
get_file_report(hash): Retrieves a comprehensive analysis report for a file based on its MD5, SHA1, or SHA256 hash.get_entities_related_to_a_file(hash, relationship_name, limit=10): Gets related entities (domains, IPs, URLs, behaviours, etc.) for a given file hash.get_file_behavior_report(file_behaviour_id): Retrieves a specific sandbox behavior report for a file.get_file_behavior_summary(hash): Retrieves a summary of all sandbox behavior reports for a file hash.
Intelligence Search
search_iocs(query, limit=10, order_by="last_submission_date-"): Searches for Indicators of Compromise (files, URLs, domains, IPs) using advanced GTI query syntax.
Network Locations (Domains & IPs)
get_domain_report(domain): Retrieves a comprehensive analysis report for a domain.get_entities_related_to_a_domain(domain, relationship_name, limit=10): Gets related entities for a given domain.get_ip_address_report(ip_address): Retrieves a comprehensive analysis report for an IPv4 or IPv6 address.get_entities_related_to_an_ip_address(ip_address, relationship_name, limit=10): Gets related entities for a given IP address.
URLs
get_url_report(url): Retrieves a comprehensive analysis report for a URL.get_entities_related_to_an_url(url, relationship_name, limit=10): Gets related entities for a given URL.
Hunting
get_hunting_ruleset: Get a Hunting Ruleset object from Google Threat Intelligenceget_entities_related_to_a_hunting_ruleset: Retrieve entities related to the the given Hunting Ruleset.
Threat Profiles
list_threat_profiles: List your Threat Profiles at Google Threat Intelligence.get_threat_profile(profile_id): Get Threat Profile object.get_threat_profile_recommendations(profile_id, limit=10): Returns the list of objects associated to the given Threat Profile.get_threat_profile_associations_timeline(profile_id): Retrieves the associations timeline for the given Threat Profile.
Configuration
MCP Server Configuration
Add the following configuration to your MCP client's settings file:
NOTE: For OSX users, if you used this one-liner to install uv, use the full path to the uv binary for the "command" value below, as uv will not be placed in the system path for Claude to use! For example: /Users/yourusername/.local/bin/uv instead of just uv.
{
"mcpServers": {
"gti": {
"command": "uv",
"args": [
"--env-file=/path/to/your/env",
"--directory",
"/path/to/the/repo/server/gti/gti_mcp",
"run",
"server.py"
],
"env": {
"VT_APIKEY": "${VT_APIKEY}"
},
"disabled": false,
"autoApprove": []
}
}
}
Environment Variable Setup
Set up the VT_APIKEY environment variable in your system:
For macOS/Linux:
export VT_APIKEY="your-vt-api-key"
For Windows PowerShell:
$Env:VT_APIKEY = "your-vt-api-key"
License
Apache 2.0
Development
The project is structured as follows:
gti_mcp/server.py: Main MCP server implementationgti_mcp/utils.py: Utils to consume VirusTotal API using vt-py library.gti_mcp/tools/: Folder containing tools.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
gti_mcp-0.1.2.tar.gz
(29.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
gti_mcp-0.1.2-py3-none-any.whl
(37.0 kB
view details)
File details
Details for the file gti_mcp-0.1.2.tar.gz.
File metadata
- Download URL: gti_mcp-0.1.2.tar.gz
- Upload date:
- Size: 29.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4abfd9d454e0c5f51ba49459694ecf46c47d109e7b8bb29eaeb416c63ff21932
|
|
| MD5 |
5a1250568d7b217e15d9220bd1f5ada3
|
|
| BLAKE2b-256 |
2a07e7f32c49ce8247c1e912b15c2f1cfd744119662da75ccfcab2b2d0ee56c0
|
File details
Details for the file gti_mcp-0.1.2-py3-none-any.whl.
File metadata
- Download URL: gti_mcp-0.1.2-py3-none-any.whl
- Upload date:
- Size: 37.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
19dbfeed84c8ea2e4cd8df24a1a6b56553625f913851cb7b11e81a13d67a0ae3
|
|
| MD5 |
42b1938b84ca2c451c33c7d979d1f17e
|
|
| BLAKE2b-256 |
e5044477ea247c59a571d960d84f4bfda0f8e7b3569f4fa97774eefb6693154b
|
