The OpenCTI MCP Server integrates with the OpenCTI platform to provide a standardized interface for querying and retrieving threat intelligence data.
Key Capabilities:
- Threat Intelligence Data
- Retrieve latest reports or get specific reports by ID
- Search for indicators of compromise, malware, and threat actors
- User and Group Management
- List all users and groups with their members
- Retrieve user details by ID
- STIX Object Operations
- List attack patterns
- Get campaign information by name
- System Management
- List connectors and status templates
- File Operations
- List all files or get file details by ID
- Reference Data Access
- List marking definitions and labels
- Customization
- Customizable query limits
- Full GraphQL query support
Supports full GraphQL query capabilities for interacting with the OpenCTI platform's threat intelligence data.
OpenCTI MCP Server
Overview
OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.
Features
- Fetch and search threat intelligence data
- Get latest reports and search by ID
- Search for malware information
- Query indicators of compromise
- Search for threat actors
- User and group management
- List all users and groups
- Get user details by ID
- STIX object operations
- List attack patterns
- Get campaign information by name
- System management
- List connectors
- View status templates
- File operations
- List all files
- Get file details by ID
- Reference data access
- List marking definitions
- View available labels
- Customizable query limits
- Full GraphQL query support
Prerequisites
- Node.js 16 or higher
- Access to an OpenCTI instance
- OpenCTI API token
Installation
Installing via Smithery
To install OpenCTI Server for Claude Desktop automatically via Smithery:
Manual Installation
Configuration
Environment Variables
Copy .env.example
to .env
and update with your OpenCTI credentials:
Required environment variables:
OPENCTI_URL
: Your OpenCTI instance URLOPENCTI_TOKEN
: Your OpenCTI API token
MCP Settings
Create a configuration file in your MCP settings location:
Security Notes
- Never commit
.env
file or API tokens to version control - Keep your OpenCTI credentials secure
- The
.gitignore
file is configured to exclude sensitive files
Available Tools
Available Tools
Reports
get_latest_reports
Retrieves the most recent threat intelligence reports.
get_report_by_id
Retrieves a specific report by its ID.
Search Operations
search_malware
Searches for malware information in the OpenCTI database.
search_indicators
Searches for indicators of compromise.
search_threat_actors
Searches for threat actor information.
User Management
get_user_by_id
Retrieves user information by ID.
list_users
Lists all users in the system.
list_groups
Lists all groups with their members.
STIX Objects
list_attack_patterns
Lists all attack patterns in the system.
get_campaign_by_name
Retrieves campaign information by name.
System Management
list_connectors
Lists all system connectors.
list_status_templates
Lists all status templates.
File Operations
get_file_by_id
Retrieves file information by ID.
list_files
Lists all files in the system.
Reference Data
list_marking_definitions
Lists all marking definitions.
list_labels
Lists all available labels.
Contributing
Contributions are welcome! Please feel free to submit pull requests.
License
MIT License
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Tools
A Model Context Protocol server that facilitates integration with OpenCTI, allowing users to query and retrieve cyber threat intelligence data via a standardized interface.
- Overview
- Features
- Prerequisites
- Installation
- Configuration
- Available Tools
- Available Tools
- Contributing
- License
Related Resources
Related MCP Servers
- -securityFlicense-qualityA Model Context Protocol server implementation that enables connection between OpenAI APIs and MCP clients for coding assistance with features like CLI interaction, web API integration, and tool-based architecture.Last updated -33Python
- -securityFlicense-qualityA Model Context Protocol server that performs third-party threat intelligence enrichment for various observables (IP addresses, domains, URLs, emails) using services like VirusTotal, Shodan, and AbuseIPDB.Last updated -
- AsecurityFlicenseAqualityA Model Context Protocol server that enables users to perform third-party enrichment lookups for security observables (IP addresses, domains, URLs, emails) through services like VirusTotal, Shodan, and others.Last updated -11Python
- AsecurityAlicenseAqualityA Model Context Protocol server providing security vulnerability intelligence tools including CVE lookup, EPSS scoring, CVSS calculation, exploit detection, and Python package vulnerability checking.Last updated -84PythonMIT License