Skip to main content
Glama
enesjakozh

OpenCTI MCP Server

by Spathodea-Network
OverviewInspectNewSchemaRelated ServersScore
TypeScript
Remote
MIT License
31

OpenCTI MCP Server

smithery badge Traditional Chinese (繁體中文)

Overview

OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.

Features

  • Fetch and search threat intelligence data

    • Get latest reports and search by ID

    • Search for malware information

    • Query indicators of compromise

    • Search for threat actors

  • User and group management

    • List all users and groups

    • Get user details by ID

  • STIX object operations

    • List attack patterns

    • Get campaign information by name

  • System management

    • List connectors

    • View status templates

  • File operations

    • List all files

    • Get file details by ID

  • Reference data access

    • List marking definitions

    • View available labels

  • Customizable query limits

  • Full GraphQL query support

Prerequisites

  • Node.js 16 or higher

  • Access to an OpenCTI instance

  • OpenCTI API token

Installation

Installing via Smithery

To install OpenCTI Server for Claude Desktop automatically via Smithery:

npx -y @smithery/cli install opencti-server --client claude

Manual Installation

# Clone the repository git clone https://github.com/yourusername/opencti-mcp-server.git # Install dependencies cd opencti-mcp-server npm install # Build the project npm run build

Configuration

Environment Variables

Copy .env.example to .env and update with your OpenCTI credentials:

cp .env.example .env

Required environment variables:

  • OPENCTI_URL: Your OpenCTI instance URL

  • OPENCTI_TOKEN: Your OpenCTI API token

MCP Settings

Create a configuration file in your MCP settings location:

{ "mcpServers": { "opencti": { "command": "node", "args": ["path/to/opencti-server/build/index.js"], "env": { "OPENCTI_URL": "${OPENCTI_URL}", // Will be loaded from .env "OPENCTI_TOKEN": "${OPENCTI_TOKEN}" // Will be loaded from .env } } } }

Security Notes

  • Never commit .env file or API tokens to version control

  • Keep your OpenCTI credentials secure

  • The .gitignore file is configured to exclude sensitive files

Available Tools

Available Tools

Reports

get_latest_reports

Retrieves the most recent threat intelligence reports.

{ "name": "get_latest_reports", "arguments": { "first": 10 // Optional, defaults to 10 } }

get_report_by_id

Retrieves a specific report by its ID.

{ "name": "get_report_by_id", "arguments": { "id": "report-uuid" // Required } }

Search Operations

search_malware

Searches for malware information in the OpenCTI database.

{ "name": "search_malware", "arguments": { "query": "ransomware", "first": 10 // Optional, defaults to 10 } }

search_indicators

Searches for indicators of compromise.

{ "name": "search_indicators", "arguments": { "query": "domain", "first": 10 // Optional, defaults to 10 } }

search_threat_actors

Searches for threat actor information.

{ "name": "search_threat_actors", "arguments": { "query": "APT", "first": 10 // Optional, defaults to 10 } }

User Management

get_user_by_id

Retrieves user information by ID.

{ "name": "get_user_by_id", "arguments": { "id": "user-uuid" // Required } }

list_users

Lists all users in the system.

{ "name": "list_users", "arguments": {} }

list_groups

Lists all groups with their members.

{ "name": "list_groups", "arguments": { "first": 10 // Optional, defaults to 10 } }

STIX Objects

list_attack_patterns

Lists all attack patterns in the system.

{ "name": "list_attack_patterns", "arguments": { "first": 10 // Optional, defaults to 10 } }

get_campaign_by_name

Retrieves campaign information by name.

{ "name": "get_campaign_by_name", "arguments": { "name": "campaign-name" // Required } }

System Management

list_connectors

Lists all system connectors.

{ "name": "list_connectors", "arguments": {} }

list_status_templates

Lists all status templates.

{ "name": "list_status_templates", "arguments": {} }

File Operations

get_file_by_id

Retrieves file information by ID.

{ "name": "get_file_by_id", "arguments": { "id": "file-uuid" // Required } }

list_files

Lists all files in the system.

{ "name": "list_files", "arguments": {} }

Reference Data

list_marking_definitions

Lists all marking definitions.

{ "name": "list_marking_definitions", "arguments": {} }

list_labels

Lists all available labels.

{ "name": "list_labels", "arguments": {} }

Contributing

Contributions are welcome! Please feel free to submit pull requests.

License

MIT License

Deploy Server
A
security – no known vulnerabilities
A
license - permissive license
A
quality - confirmed to work

How are these scores calculated?

Related Resources

Related MCP Servers

  • OpenAI MCP Server

    arthurcolle
    -
    security
    F
    license
    -
    quality
    A Model Context Protocol server implementation that enables connection between OpenAI APIs and MCP clients for coding assistance with features like CLI interaction, web API integration, and tool-based architecture.
    Last updated -
    36
    • Linux
    • Apple

  • Enrichment MCP Server

    synackpwn
    -
    security
    F
    license
    -
    quality
    A Model Context Protocol server that performs third-party threat intelligence enrichment for various observables (IP addresses, domains, URLs, emails) using services like VirusTotal, Shodan, and AbuseIPDB.
    Last updated -

  • Enrichment MCP Server

    MSAdministrator
    A
    security
    F
    license
    A
    quality
    A Model Context Protocol server that enables users to perform third-party enrichment lookups for security observables (IP addresses, domains, URLs, emails) through services like VirusTotal, Shodan, and others.
    Last updated -
    1
    2
    • Apple

  • MCP Vulnerability Checker Server

    firetix
    A
    security
    A
    license
    A
    quality
    A Model Context Protocol server providing security vulnerability intelligence tools including CVE lookup, EPSS scoring, CVSS calculation, exploit detection, and Python package vulnerability checking.
    Last updated -
    8
    9
    MIT License

View all related MCP servers

Appeared in Searches

New MCP Servers

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Spathodea-Network/opencti-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server