Skip to main content
Glama
lidless-labs

mitre-mcp

by lidless-labs

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
MISP_URLNoMISP URL (e.g., https://misp.example.internal)
WAZUH_URLNoWazuh API URL (e.g., https://wazuh.example.internal:55000)
CORTEX_URLNoCortex URL (e.g., http://cortex.example.internal:9001)
THEHIVE_URLNoTheHive URL (e.g., http://thehive.example.internal:9000)
MISP_API_KEYNoMISP API key
CORTEX_API_KEYNoCortex API key
MITRE_DATA_DIRNoLocal cache directory for STIX bundles~/.mitre-mcp/data
MITRE_MATRICESNoComma-separated matrices: enterprise, mobile, icsenterprise
WAZUH_PASSWORDNoWazuh API password
WAZUH_USERNAMENoWazuh API username
MISP_VERIFY_SSLNoVerify SSL certs for MISPtrue
THEHIVE_API_KEYNoTheHive API key
WAZUH_VERIFY_SSLNoVerify SSL certs for Wazuhtrue
MITRE_UPDATE_INTERVALNoAuto-update check interval in seconds86400

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": true
}
prompts
{
  "listChanged": true
}
resources
{
  "listChanged": true
}

Tools

Functions exposed to the LLM to take actions

NameDescription
mitre_get_techniqueA

Get full details of a specific ATT&CK technique by its ID (e.g., T1059, T1059.001)

mitre_search_techniquesB

Search ATT&CK techniques by keyword, tactic, platform, or data source

mitre_list_tacticsB

List all ATT&CK tactics in kill-chain order

mitre_get_tacticB

Get details and all techniques under a specific tactic

mitre_get_groupA

Get details on a known threat group/APT including techniques and software used

mitre_search_groupsB

Search threat groups by keyword or by technique usage

mitre_list_groupsA

List all known threat groups with names, aliases, and brief descriptions

mitre_get_softwareA

Get details on a known software, malware, or tool including techniques and associated groups

mitre_search_softwareB

Search software/malware by name, keyword, technique, or type

mitre_get_mitigationB

Get details on a mitigation and all techniques it addresses

mitre_mitigations_for_techniqueB

Get all mitigations applicable to a specific technique

mitre_search_mitigationsC

Search mitigations by keyword

mitre_get_datasourceC

Get details on a data source and its components with detectable techniques

mitre_detection_coverageB

Analyze detection coverage based on available data sources in your environment

mitre_map_alert_to_techniqueA

Map a security alert or observable to likely ATT&CK techniques with confidence scoring

mitre_technique_overlapC

Find technique overlap between threat groups for attribution assistance

mitre_attack_pathC

Generate possible attack paths through the kill chain starting from a technique

mitre_campaign_profileB

Build a technique profile from observed techniques for campaign analysis and attribution

mitre_get_campaignB

Get details on a known ATT&CK campaign including techniques, software, and attributed groups

mitre_list_campaignsA

List all known ATT&CK campaigns with names, dates, and brief descriptions

mitre_search_campaignsB

Search campaigns by keyword or by technique usage

mitre_navigator_layerB

Generate an ATT&CK Navigator layer JSON for visualization. Supports coverage heatmaps, group technique overlays, campaign views, and custom technique highlighting.

mitre_update_dataA

Force an update of the local ATT&CK data cache by re-downloading STIX bundles

mitre_data_versionA

Get current ATT&CK data version, freshness, and object counts

mitre_soc_statusA

Get connection status for all configured SOC integrations (Wazuh, TheHive, Cortex, MISP)

mitre_cross_correlateB

Cross-correlate ATT&CK techniques across Wazuh alerts, TheHive cases, and MISP events to find related activity

Prompts

Interactive templates invoked by user choice

NameDescription
map-incident-to-attackMap an incident's observables to ATT&CK techniques, identify tactics, and suggest mitigations
threat-hunt-planGenerate a threat hunting plan based on ATT&CK framework and available data sources
gap-analysisPerform a detection gap analysis using ATT&CK coverage mapping
attribution-analysisAssist with threat attribution based on observed techniques and contextual factors

Resources

Contextual data attached and managed by the client

NameDescription
matrix-enterpriseFull ATT&CK Enterprise matrix (tactics x techniques)
versionCurrent ATT&CK data version and statistics
tacticsAll tactics in kill-chain order

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/lidless-labs/mitre-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server