The OpenCTI MCP Server integrates with the OpenCTI platform to provide a standardized interface for querying and retrieving threat intelligence data.
Key Capabilities:
Threat Intelligence Data
Retrieve latest reports or get specific reports by ID
Search for indicators of compromise, malware, and threat actors
User and Group Management
List all users and groups with their members
Retrieve user details by ID
STIX Object Operations
List attack patterns
Get campaign information by name
System Management
List connectors and status templates
File Operations
List all files or get file details by ID
Reference Data Access
List marking definitions and labels
Customization
Customizable query limits
Full GraphQL query support
Supports full GraphQL query capabilities for interacting with the OpenCTI platform's threat intelligence data.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@OpenCTI MCP Serversearch for recent ransomware reports"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
OpenCTI MCP Server
Overview
OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.
Related MCP server: Enrichment MCP Server
Features
Fetch and search threat intelligence data
Get latest reports and search by ID
Search for malware information
Query indicators of compromise
Search for threat actors
User and group management
List all users and groups
Get user details by ID
STIX object operations
List attack patterns
Get campaign information by name
System management
List connectors
View status templates
File operations
List all files
Get file details by ID
Reference data access
List marking definitions
View available labels
Customizable query limits
Full GraphQL query support
Prerequisites
Node.js 16 or higher
Access to an OpenCTI instance
OpenCTI API token
Installation
Installing via Smithery
To install OpenCTI Server for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install opencti-server --client claudeManual Installation
# Clone the repository
git clone https://github.com/yourusername/opencti-mcp-server.git
# Install dependencies
cd opencti-mcp-server
npm install
# Build the project
npm run buildConfiguration
Environment Variables
Copy .env.example to .env and update with your OpenCTI credentials:
cp .env.example .envRequired environment variables:
OPENCTI_URL: Your OpenCTI instance URLOPENCTI_TOKEN: Your OpenCTI API token
MCP Settings
Create a configuration file in your MCP settings location:
{
"mcpServers": {
"opencti": {
"command": "node",
"args": ["path/to/opencti-server/build/index.js"],
"env": {
"OPENCTI_URL": "${OPENCTI_URL}", // Will be loaded from .env
"OPENCTI_TOKEN": "${OPENCTI_TOKEN}" // Will be loaded from .env
}
}
}
}Security Notes
Never commit
.envfile or API tokens to version controlKeep your OpenCTI credentials secure
The
.gitignorefile is configured to exclude sensitive files
Available Tools
Available Tools
Reports
get_latest_reports
Retrieves the most recent threat intelligence reports.
{
"name": "get_latest_reports",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}get_report_by_id
Retrieves a specific report by its ID.
{
"name": "get_report_by_id",
"arguments": {
"id": "report-uuid" // Required
}
}Search Operations
search_malware
Searches for malware information in the OpenCTI database.
{
"name": "search_malware",
"arguments": {
"query": "ransomware",
"first": 10 // Optional, defaults to 10
}
}search_indicators
Searches for indicators of compromise.
{
"name": "search_indicators",
"arguments": {
"query": "domain",
"first": 10 // Optional, defaults to 10
}
}search_threat_actors
Searches for threat actor information.
{
"name": "search_threat_actors",
"arguments": {
"query": "APT",
"first": 10 // Optional, defaults to 10
}
}User Management
get_user_by_id
Retrieves user information by ID.
{
"name": "get_user_by_id",
"arguments": {
"id": "user-uuid" // Required
}
}list_users
Lists all users in the system.
{
"name": "list_users",
"arguments": {}
}list_groups
Lists all groups with their members.
{
"name": "list_groups",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}STIX Objects
list_attack_patterns
Lists all attack patterns in the system.
{
"name": "list_attack_patterns",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}get_campaign_by_name
Retrieves campaign information by name.
{
"name": "get_campaign_by_name",
"arguments": {
"name": "campaign-name" // Required
}
}System Management
list_connectors
Lists all system connectors.
{
"name": "list_connectors",
"arguments": {}
}list_status_templates
Lists all status templates.
{
"name": "list_status_templates",
"arguments": {}
}File Operations
get_file_by_id
Retrieves file information by ID.
{
"name": "get_file_by_id",
"arguments": {
"id": "file-uuid" // Required
}
}list_files
Lists all files in the system.
{
"name": "list_files",
"arguments": {}
}Reference Data
list_marking_definitions
Lists all marking definitions.
{
"name": "list_marking_definitions",
"arguments": {}
}list_labels
Lists all available labels.
{
"name": "list_labels",
"arguments": {}
}Contributing
Contributions are welcome! Please feel free to submit pull requests.
License
MIT License