Threat Intelligence MCP Server

README.md•18.6 KiB

![threat_intel_mcp](https://github.com/user-attachments/assets/192b724a-550b-434d-abdb-621cde9dee6e) # Threat Intelligence MCP Server [![MCP](https://img.shields.io/badge/MCP-Compatible-blue)](https://modelcontextprotocol.io) [![Python-3.10+](https://img.shields.io/badge/Python-3.10%2B-green)](https://python.org) [![License](https://img.shields.io/badge/License-MIT-yellow)](LICENSE) [![STIX 2.1](https://img.shields.io/badge/STIX-2.1-orange)](https://oasis-open.github.io/cti-documentation/) [![MITRE ATT&CK](https://img.shields.io/badge/MITRE-ATT%26CK-red)](https://attack.mitre.org/) [![NIST 800-53](https://img.shields.io/badge/NIST-800--53_Rev.5-blue)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) [![Part of Agentic System](https://img.shields.io/badge/Part_of-Agentic_System-brightgreen)](https://github.com/marc-shade/agentic-system-oss) > **Defense-contractor-grade threat intelligence with STIX/TAXII 2.1, MITRE ATT&CK mapping, TLP enforcement, tamper-evident provenance chains, and NIST SP 800-53 compliance.** Part of the [Agentic System](https://github.com/marc-shade/agentic-system-oss) - a 24/7 autonomous AI framework with persistent memory. **Version**: 0.3.0 ## Features ### Core Threat Intelligence - **Multi-source threat feeds**: Feodo Tracker, URLhaus, CISA KEV, ThreatFox, Emerging Threats, Spamhaus DROP, Blocklist.de, CINSscore - **IP/Hash reputation checking**: VirusTotal, AbuseIPDB, Shodan integration - **Bulk IP checking**: Check up to 100 IPs in a single request - **Network scanning integration**: Check scanned devices against threat lists - **Thread-safe caching**: Intelligent caching with TTL and size limits - **Dashboard API**: Aggregated data for visualization (Flask-based) ### Defense & Intelligence Standards (v0.3.0) - **STIX/TAXII 2.1 Protocol**: Full OASIS-compliant STIX 2.1 object creation (indicators, malware, attack-patterns, threat-actors, relationships, sightings) and TAXII 2.1 client for publishing/consuming - **MITRE ATT&CK Framework**: Context-aware IOC-to-technique mapping across the Enterprise matrix with ATT&CK Navigator layer export (v4.5 format) - **Traffic Light Protocol (TLP 2.0)**: Classification and enforcement of TLP:CLEAR, TLP:GREEN, TLP:AMBER, TLP:AMBER+STRICT, TLP:RED with sharing rule validation - **Chain of Custody / Provenance**: Tamper-evident SHA-256 hash chain tracking for IOC lifecycle, suitable for federal evidence handling (NIST SP 800-86) - **Defense Feed Integration**: CISA alerts/advisories, ICS-CERT, NSA advisory parsing framework, DISA IAVA format support - **NIST SP 800-53 Rev. 5 Mapping**: Control alignment (RA-5, SI-5, PM-16, IR-6, SA-11, CA-7, and 15+ more) with compliance evidence reports - **NIST CSF 2.0 Coverage**: Mapping to all six functions (Govern, Identify, Protect, Detect, Respond, Recover) - **ICD 203 Confidence Scoring**: Intelligence Community Analytic Standards with NATO/IC source reliability codes (A-F) and information credibility ratings (1-6) - **DoD Impact Level Classification**: IL2-IL6 mapping per CNSSI 1253 and DoD CC SRG ## Installation ```bash cd ${AGENTIC_SYSTEM_PATH:-/opt/agentic}/mcp-servers/threat-intel-mcp pip install -e . # For dashboard support: pip install -e ".[dashboard]" # For development: pip install -e ".[dev]" ``` ## Configuration Add to `~/.claude.json`: ```json { "mcpServers": { "threat-intel": { "command": "${AGENTIC_SYSTEM_PATH:-/opt/agentic}/.venv/bin/python3", "args": ["-m", "threat_intel_mcp.server"] } } } ``` ## API Keys (Optional) Set environment variables for enhanced capabilities: | Variable | Service | Purpose | |----------|---------|---------| | `VIRUSTOTAL_API_KEY` | VirusTotal | Hash and IP lookups | | `ABUSEIPDB_API_KEY` | AbuseIPDB | IP reputation and abuse reports | | `SHODAN_API_KEY` | Shodan | IP intelligence and port scanning | | `OTX_API_KEY` | AlienVault OTX | Threat pulse feeds | ## MCP Tools ### Core Tools | Tool | Description | |------|-------------| | `get_threat_feeds` | List all available threat intelligence feeds with status | | `fetch_threat_feed` | Fetch IOCs from a specific feed by name | | `check_ip_reputation` | Check IP against multiple threat sources (VT, AbuseIPDB, Shodan) | | `check_hash_reputation` | Check file hash (MD5/SHA1/SHA256) reputation | | `check_bulk_ips` | Check up to 100 IPs in a single request | | `get_cisa_kev` | Get CISA Known Exploited Vulnerabilities catalog | | `get_dashboard_summary` | Aggregated threat data for dashboards | | `get_recent_iocs` | Recent IOCs from ThreatFox (filterable by type) | | `check_network_against_threats` | Check network scan results for threats | | `get_threat_stats` | Get cache statistics and API key status | | `clear_threat_cache` | Clear the threat intelligence cache | ### Defense Compliance Tools (v0.3.0) | Tool | Description | |------|-------------| | `threat_stix_export` | Export indicators as STIX 2.1 bundle with TLP marking | | `threat_attack_map` | Map IOCs to MITRE ATT&CK techniques with context-aware matching | | `threat_attack_navigator` | Generate ATT&CK Navigator layer (v4.5 JSON format) | | `threat_provenance` | Record, verify, query, or export IOC provenance chain | | `threat_compliance_report` | NIST SP 800-53 Rev. 5 compliance posture assessment | | `threat_tlp_classify` | Classify and enforce TLP 2.0 sharing rules | | `threat_taxii_fetch` | Fetch intelligence from TAXII 2.1 servers with auth support | | `threat_defense_feeds` | Aggregate defense feeds with ICD 203 confidence scoring | ## Defense & Intelligence Standards ### STIX/TAXII 2.1 Protocol Support Full implementation of the OASIS Structured Threat Information Expression (STIX) 2.1 specification for standardized threat intelligence exchange. **STIX Object Types:** - `indicator` - IOC patterns using STIX Patterning Language - `malware` - Malware family/instance descriptions - `attack-pattern` - MITRE ATT&CK technique mappings - `threat-actor` - Adversary profiles - `relationship` - Links between objects (indicates, uses, attributed-to) - `sighting` - Confirmed observations of indicators - `bundle` - Container for multiple STIX objects **TAXII 2.1 Client:** - Server discovery and API root enumeration - Collection listing and management - Object retrieval with filtering (type, date, ID) - Object publication to TAXII servers - HTTP Basic and Bearer token authentication ```python # Export all recent IOCs as STIX 2.1 bundle result = await threat_stix_export(tlp_level="TLP:AMBER", limit=100) # Export specific feed result = await threat_stix_export(feed_name="feodo_tracker", tlp_level="TLP:GREEN") ``` ### MITRE ATT&CK Framework Integration Context-aware mapping of IOCs to MITRE ATT&CK Enterprise techniques with 50+ techniques across all 14 tactics. **Coverage:** | Tactic | Example Techniques | |--------|-------------------| | Initial Access | T1566 Phishing, T1190 Exploit Public-Facing App, T1078 Valid Accounts | | Execution | T1059 Command Scripting, T1053 Scheduled Task, T1047 WMI | | Persistence | T1547 Boot Autostart, T1136 Create Account, T1543 System Process | | Privilege Escalation | T1055 Process Injection, T1068 Exploitation | | Defense Evasion | T1070 Indicator Removal, T1027 Obfuscated Files, T1036 Masquerading | | Credential Access | T1003 Credential Dumping, T1110 Brute Force | | Lateral Movement | T1021 Remote Services, T1570 Lateral Tool Transfer | | C2 | T1071 App Layer Protocol, T1572 Protocol Tunneling, T1573 Encrypted Channel | | Exfiltration | T1041 Over C2, T1048 Alternative Protocol, T1567 Web Service | | Impact | T1486 Data Encrypted (Ransomware), T1489 Service Stop, T1498 Network DoS | **ATT&CK Navigator Export:** Generates Navigator-compatible JSON layers (v4.5) with heatmap scoring based on indicator volume. ```python # Map a single IOC with context result = await threat_attack_map( ioc_type="ip:port", ioc_value="192.0.2.102:4444", context="Cobalt Strike beacon C2" ) # Generate Navigator layer from all recent IOCs layer = await threat_attack_navigator(layer_name="Current Threat Coverage") ``` ### Traffic Light Protocol (TLP 2.0) Enforcement Implements FIRST TLP 2.0 standard with programmatic sharing rule enforcement. | Level | Sharing Scope | Enforcement | |-------|--------------|-------------| | `TLP:CLEAR` | Public | No restrictions | | `TLP:GREEN` | Community | Not via public channels | | `TLP:AMBER` | Organization + clients | Need-to-know basis | | `TLP:AMBER+STRICT` | Organization only | No client sharing | | `TLP:RED` | Named recipients only | No further distribution | ```python # Check if sharing is permitted result = await threat_tlp_classify( tlp_level="TLP:RED", target_scope="community" ) # Returns: sharing_permitted = False, violation_warning = "..." ``` ### Chain of Custody / Provenance Tracking Tamper-evident SHA-256 hash chain for IOC lifecycle tracking. Each record links to the previous via cryptographic hash, ensuring any modification is detectable. **Tracked Actions:** ingestion, enrichment, analysis, correlation, classification, sharing, TLP assignment/change, validation, deduplication, expiration, retraction, export, sighting, false positive, confidence update, ATT&CK mapping **Standards Compliance:** - NIST SP 800-86: Guide to Integrating Forensic Techniques - Federal Rules of Evidence, Rule 901 (Authentication) ```python # Record IOC ingestion await threat_provenance( action="record", ioc_id="ioc-001", actor="feodo_tracker", details='{"provenance_action": "ingestion", "source": "feodo_tracker", "confidence": 85}', ioc_type="ip", ioc_value="192.0.2.102" ) # Verify chain integrity result = await threat_provenance(action="verify", ioc_id="ioc-001") # Export legal/audit report report = await threat_provenance(action="report", ioc_id="ioc-001") ``` ### ICD 203 Confidence Scoring Intelligence Community Directive 203 (Analytic Standards) aligned confidence scoring using NATO/IC source reliability (A-F) and information credibility (1-6) codes. | Source Type | Reliability Grade | Examples | |-------------|------------------|----------| | Government (CISA, NSA, DISA) | A - Completely Reliable | cisa_kev, nsa_advisories | | Commercial Threat Intel | B - Usually Reliable | virustotal, abuseipdb, feodo_tracker | | Community Feeds | C - Fairly Reliable | blocklist_de, cinsscore | **Confidence Factors:** Source reliability, corroboration count, intelligence age, contextual information availability, targeted vs. commodity intelligence. ### NIST SP 800-53 Rev. 5 Control Mapping Maps threat intelligence capabilities to 25+ NIST security controls across 8 control families: | Family | Key Controls | Relevance | |--------|-------------|-----------| | Risk Assessment (RA) | RA-3, RA-5, RA-5(2), RA-5(5) | Vulnerability monitoring, risk assessment | | System Integrity (SI) | SI-2, SI-4, SI-4(4), SI-5, SI-5(1) | Monitoring, alerts, flaw remediation | | Incident Response (IR) | IR-4, IR-5, IR-6, IR-6(1) | Incident handling, reporting | | Program Management (PM) | PM-15, PM-16, PM-16(1) | Threat awareness program | | Assessment (CA) | CA-2, CA-7 | Continuous monitoring | | Supply Chain (SR) | SR-6 | Supply chain risk | | Acquisition (SA) | SA-11 | Security testing | ```python # Generate compliance posture report result = await threat_compliance_report(baseline="MODERATE", include_details=True) ``` ### Defense Feed Integration | Feed Source | Type | Frequency | |------------|------|-----------| | CISA Known Exploited Vulnerabilities (KEV) | JSON API | On-demand | | CISA Cybersecurity Alerts | RSS | On-demand | | CISA Cybersecurity Advisories | RSS | On-demand | | ICS-CERT Advisories | RSS | On-demand | | NSA Cybersecurity Advisories | Parsing framework | Manual | | DISA IAVA/IAVB/IAVT | Format parser | Manual | ## Threat Feeds ### Free (No API Key Required) | Feed | Type | Description | |------|------|-------------| | `feodo_tracker` | IP List | Botnet C&C IPs (Dridex, Emotet, TrickBot) | | `urlhaus_recent` | URL List | Recent malware distribution URLs | | `sslbl_ip` | IP List | SSL Blacklist malicious IPs | | `emerging_threats_compromised` | IP List | Compromised host IPs | | `tor_exit_nodes` | IP List | Known Tor exit node IPs | | `cisa_kev` | JSON | Known Exploited Vulnerabilities catalog | | `threatfox_recent` | JSON | Recent malware IOCs | | `blocklist_de_all` | IP List | All attackers from blocklist.de | | `cinsscore_badguys` | IP List | CINSscore malicious IPs | | `spamhaus_drop` | CIDR List | Spamhaus Don't Route Or Peer | ### API-Enhanced | Feed | API Key | Enhanced Data | |------|---------|---------------| | VirusTotal | `VIRUSTOTAL_API_KEY` | Detection ratios, vendor verdicts | | AbuseIPDB | `ABUSEIPDB_API_KEY` | Abuse confidence score, report counts | | Shodan | `SHODAN_API_KEY` | Open ports, services, vulnerabilities | | AlienVault OTX | `OTX_API_KEY` | Threat pulses, related IOCs | ## Usage Examples ### Check IP Reputation ```python # Returns threat level: clean/low/medium/high/critical result = await check_ip_reputation("192.0.2.102") ``` ### Bulk IP Check ```python # Comma-separated result = await check_bulk_ips("8.8.8.8, 1.1.1.1, 192.0.2.102") # JSON array result = await check_bulk_ips('["8.8.8.8", "1.1.1.1"]') ``` ### Export STIX 2.1 Bundle ```python # Export recent IOCs with TLP marking bundle = await threat_stix_export(tlp_level="TLP:AMBER", limit=50) # Export specific feed as STIX bundle = await threat_stix_export(feed_name="feodo_tracker", tlp_level="TLP:GREEN") ``` ### Map IOCs to MITRE ATT&CK ```python # Map with context for better accuracy result = await threat_attack_map( ioc_type="sha256", ioc_value="e3b0c44298fc...", context="Emotet trojan loader" ) # Generate Navigator layer layer = await threat_attack_navigator(limit=200) ``` ### Track IOC Provenance ```python # Record ingestion await threat_provenance( action="record", ioc_id="ioc-001", actor="feodo_tracker", details='{"provenance_action": "ingestion", "source": "feodo_tracker"}', ioc_type="ip", ioc_value="192.0.2.102" ) # Verify integrity result = await threat_provenance(action="verify", ioc_id="ioc-001") ``` ### NIST Compliance Report ```python # Full compliance posture assessment report = await threat_compliance_report(baseline="HIGH", include_details=True) ``` ## Running the Dashboard ```bash # Start the Flask dashboard server threat-intel-dashboard # Or directly: python -m threat_intel_mcp.dashboard ``` Dashboard provides REST API endpoints for visualization tools. ## Development ### Running Tests ```bash # Install dev dependencies pip install -e ".[dev]" # Run tests pytest tests/ -v # With coverage pytest tests/ --cov=threat_intel_mcp --cov-report=html ``` ### Project Structure ``` threat-intel-mcp/ ├── src/threat_intel_mcp/ │ ├── __init__.py # Package exports │ ├── config.py # Configuration, validation, caching │ ├── server.py # FastMCP server and tools (19 tools) │ ├── dashboard.py # Flask dashboard API │ ├── data_fetcher.py # Background data fetcher service │ └── compliance/ │ ├── __init__.py # Compliance module exports │ ├── stix_taxii.py # STIX 2.1 objects + TAXII 2.1 client │ ├── mitre_attack.py # ATT&CK mapping + Navigator layers │ ├── provenance.py # SHA-256 hash chain provenance │ ├── defense_feeds.py # CISA/NSA/DISA feed integration │ └── nist_mapping.py # NIST 800-53 + CSF mapping ├── tests/ │ ├── conftest.py # Pytest fixtures │ └── test_*.py # Test modules └── pyproject.toml # Package configuration ``` ## Changelog ### v0.3.0 - **Defense & Intelligence Standards**: - STIX/TAXII 2.1 protocol support (OASIS specification) - MITRE ATT&CK Enterprise mapping (50+ techniques, all 14 tactics) - ATT&CK Navigator layer export (v4.5 format) - Traffic Light Protocol 2.0 classification and enforcement - Tamper-evident IOC provenance chain (SHA-256 hash chain) - Defense feed integration (CISA alerts/advisories, ICS-CERT, DISA IAVA) - NIST SP 800-53 Rev. 5 control mapping (25+ controls, 8 families) - NIST CSF 2.0 function coverage mapping - ICD 203 confidence scoring with NATO/IC reliability codes - DoD Impact Level classification (IL2-IL6) - **New MCP Tools** (8 tools, 19 total): - `threat_stix_export` - Export indicators as STIX 2.1 bundle - `threat_attack_map` - Map IOCs to ATT&CK techniques - `threat_attack_navigator` - Generate Navigator layers - `threat_provenance` - Chain-of-custody tracking - `threat_compliance_report` - NIST compliance posture - `threat_tlp_classify` - TLP classification and enforcement - `threat_taxii_fetch` - Fetch from TAXII 2.1 servers - `threat_defense_feeds` - Aggregate defense feeds with ICD 203 scoring - **Code Quality**: - Comprehensive test suite (121 tests, all passing) - Removed duplicate code in data_fetcher.py (uses shared config) - Fixed broken imports in dashboard.py - Cleaned up unused imports across all modules ### v0.2.0 - **New Features**: - Bulk IP checking (up to 100 IPs) - Shodan integration for IP intelligence - Cache statistics and management tools - 3 additional threat feeds (blocklist.de, CINSscore, Spamhaus DROP) - **Improvements**: - Shared configuration module eliminates code duplication - Thread-safe caching with TTL and size limits - Proper input validation for all IOC types - Type hints throughout codebase - **Bug Fixes**: - Fixed all bare except clauses with proper exception handling - Removed unused imports and dependencies - Fixed variable scope issues - **Developer Experience**: - Comprehensive test suite (67 tests) - pytest-asyncio for async testing - Optional dependency groups (dashboard, dev) ### v0.1.0 - Initial release with basic threat feed aggregation --- ## Part of the MCP Ecosystem This server integrates with other MCP servers for comprehensive AGI capabilities: | Server | Purpose | |--------|---------| | [enhanced-memory-mcp](https://github.com/marc-shade/enhanced-memory-mcp) | 4-tier persistent memory with semantic search | | [agent-runtime-mcp](https://github.com/marc-shade/agent-runtime-mcp) | Persistent task queues and goal decomposition | | [agi-mcp](https://github.com/marc-shade/agi-mcp) | Full AGI orchestration with 21 tools | | [cluster-execution-mcp](https://github.com/marc-shade/cluster-execution-mcp) | Distributed task routing across nodes | | [node-chat-mcp](https://github.com/marc-shade/node-chat-mcp) | Inter-node AI communication | | [ember-mcp](https://github.com/marc-shade/ember-mcp) | Production-only policy enforcement | See [agentic-system-oss](https://github.com/marc-shade/agentic-system-oss) for the complete framework.

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/marc-shade/threat-intel-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

README.md•18.6 KiB