OpenCTI
by
OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with the OpenCTI (Open Cyber Threat Intelligence) platform, enabling querying and retrieving threat intelligence data through a standardized interface.
OpenCTI Overview
What is OpenCTI MCP Server?
OpenCTI MCP Server is a Model Context Protocol (MCP) server designed to integrate with the OpenCTI (Open Cyber Threat Intelligence) platform. It provides a standardized interface for querying and retrieving threat intelligence data, making it easier to access and utilize this critical information.
How to use OpenCTI MCP Server?
To use OpenCTI MCP Server, you need Node.js 16 or higher, access to an OpenCTI instance, and an OpenCTI API token. You can install it via Smithery using npx -y @smithery/cli install opencti-server --client claude or manually by cloning the repository, installing dependencies (npm install), and building the project (npm run build). Configuration involves setting OPENCTI_URL and OPENCTI_TOKEN environment variables in a .env file and configuring MCP settings in a JSON file.
Key Features of OpenCTI MCP Server
- Threat Intelligence Data Retrieval: Fetch and search for the latest reports, malware information, indicators of compromise, and threat actors.
- User and Group Management: List all users and groups, and retrieve user details by ID.
- STIX Object Operations: List attack patterns and get campaign information by name.
- System Management: List connectors and view status templates.
- File Operations: List all files and get file details by ID.
- Reference Data Access: List marking definitions and view available labels.
- Customizable Query Limits: Control the number of results returned.
- Full GraphQL Query Support: Leverage the power of GraphQL for advanced queries.
Use Cases of OpenCTI MCP Server
- Cyber Threat Analysis: Quickly retrieve and analyze threat intelligence to understand emerging threats.
- Security Operations: Integrate with security tools to automate the collection and processing of threat data.
- Incident Response: Access relevant threat indicators and reports during security incidents.
- Security Research: Explore and analyze OpenCTI data for research purposes.
FAQ from OpenCTI MCP Server
Q: What are the prerequisites for running OpenCTI MCP Server? A: You need Node.js 16 or higher, access to an OpenCTI instance, and an OpenCTI API token.
Q: How do I install OpenCTI MCP Server?
A: You can install it automatically via Smithery or manually by cloning the repository and running npm install and npm run build.
Q: How do I configure OpenCTI MCP Server?
A: You need to set OPENCTI_URL and OPENCTI_TOKEN in a .env file and configure the MCP settings in a JSON file.
Q: Is it secure to use OpenCTI MCP Server?
A: Yes, but it is crucial to never commit your .env file or API tokens to version control and to keep your OpenCTI credentials secure.
OpenCTI's README
OpenCTI MCP Server
Overview
OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.
Features
- Fetch and search threat intelligence data
- Get latest reports and search by ID
- Search for malware information
- Query indicators of compromise
- Search for threat actors
- User and group management
- List all users and groups
- Get user details by ID
- STIX object operations
- List attack patterns
- Get campaign information by name
- System management
- List connectors
- View status templates
- File operations
- List all files
- Get file details by ID
- Reference data access
- List marking definitions
- View available labels
- Customizable query limits
- Full GraphQL query support
Prerequisites
- Node.js 16 or higher
- Access to an OpenCTI instance
- OpenCTI API token
Installation
Installing via Smithery
To install OpenCTI Server for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install opencti-server --client claude
Manual Installation
# Clone the repository
git clone https://github.com/yourusername/opencti-mcp-server.git
# Install dependencies
cd opencti-mcp-server
npm install
# Build the project
npm run build
Configuration
Environment Variables
Copy .env.example to .env and update with your OpenCTI credentials:
cp .env.example .env
Required environment variables:
OPENCTI_URL: Your OpenCTI instance URLOPENCTI_TOKEN: Your OpenCTI API token
MCP Settings
Create a configuration file in your MCP settings location:
{
"mcpServers": {
"opencti": {
"command": "node",
"args": ["path/to/opencti-server/build/index.js"],
"env": {
"OPENCTI_URL": "${OPENCTI_URL}", // Will be loaded from .env
"OPENCTI_TOKEN": "${OPENCTI_TOKEN}" // Will be loaded from .env
}
}
}
}
Security Notes
- Never commit
.envfile or API tokens to version control - Keep your OpenCTI credentials secure
- The
.gitignorefile is configured to exclude sensitive files
Available Tools
Available Tools
Reports
get_latest_reports
Retrieves the most recent threat intelligence reports.
{
"name": "get_latest_reports",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}
get_report_by_id
Retrieves a specific report by its ID.
{
"name": "get_report_by_id",
"arguments": {
"id": "report-uuid" // Required
}
}
Search Operations
search_malware
Searches for malware information in the OpenCTI database.
{
"name": "search_malware",
"arguments": {
"query": "ransomware",
"first": 10 // Optional, defaults to 10
}
}
search_indicators
Searches for indicators of compromise.
{
"name": "search_indicators",
"arguments": {
"query": "domain",
"first": 10 // Optional, defaults to 10
}
}
search_threat_actors
Searches for threat actor information.
{
"name": "search_threat_actors",
"arguments": {
"query": "APT",
"first": 10 // Optional, defaults to 10
}
}
User Management
get_user_by_id
Retrieves user information by ID.
{
"name": "get_user_by_id",
"arguments": {
"id": "user-uuid" // Required
}
}
list_users
Lists all users in the system.
{
"name": "list_users",
"arguments": {}
}
list_groups
Lists all groups with their members.
{
"name": "list_groups",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}
STIX Objects
list_attack_patterns
Lists all attack patterns in the system.
{
"name": "list_attack_patterns",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}
get_campaign_by_name
Retrieves campaign information by name.
{
"name": "get_campaign_by_name",
"arguments": {
"name": "campaign-name" // Required
}
}
System Management
list_connectors
Lists all system connectors.
{
"name": "list_connectors",
"arguments": {}
}
list_status_templates
Lists all status templates.
{
"name": "list_status_templates",
"arguments": {}
}
File Operations
get_file_by_id
Retrieves file information by ID.
{
"name": "get_file_by_id",
"arguments": {
"id": "file-uuid" // Required
}
}
list_files
Lists all files in the system.
{
"name": "list_files",
"arguments": {}
}
Reference Data
list_marking_definitions
Lists all marking definitions.
{
"name": "list_marking_definitions",
"arguments": {}
}
list_labels
Lists all available labels.
{
"name": "list_labels",
"arguments": {}
}
Contributing
Contributions are welcome! Please feel free to submit pull requests.
License
MIT License
OpenCTI Reviews
Login Required
Please log in to share your review and rating for this MCP.
Actions
OpenCTI's Information
- Author
- Spathodea-Network
- Category
- Identity & Security
- Language
- TypeScript
- License
- MIT License
- Version
- v0.1.0
- Stars
- 19
- Updated
- 3 months ago
Related MCP Servers
Discover more MCP servers with similar functionality and use cases
SafeLine
by chaitin
Provides a self‑hosted web application firewall and reverse‑proxy that filters, monitors, and blocks malicious HTTP/S traffic, protecting web applications from attacks such as SQL injection, XSS, brute‑force, bot abuse, and various code injections.
Burp MCP Server
by PortSwigger
Integrates Burp Suite with AI clients via the Model Context Protocol, providing a built‑in SSE server and a packaged Stdio proxy for seamless AI‑driven interaction with Burp.
Cycode Cli
by cycodehq
Boost security in the development lifecycle via static application security testing, software composition analysis, secrets detection, and infrastructure‑as‑code scanning.
Auth0
Officialby auth0
Auth0 MCP Server enables AI agents to manage Auth0 tenants using natural language, streamlining tasks like application and user management.
Keycloak MCP
by ChristophEnglisch
keycloak-model-context-protocol is an MCP server implementation for Keycloak user management, enabling AI-powered administration of Keycloak users and realms through the Model Context Protocol (MCP).
Malware Bazaar MCP
by mytechnotalent
Provides real-time threat intelligence and detailed malware sample metadata from Malware Bazaar through an AI‑driven MCP server, enabling authorized cybersecurity research workflows.
Okta
by kapilduraphe
This project provides an Okta MCP (Multi-Cloud Platform) server that enables Claude to interact with Okta's user management system, offering comprehensive user and group management capabilities along with onboarding automation.
Descope
by descope-sample-apps
descope-mcp-server-stdio is a Model Context Protocol (MCP) server that integrates Descope's Management APIs with applications like Claude Desktop. It enables users to manage user data and audit logs directly from their desktop environment.
Authenticator App · 2FA
Officialby firstorderai
authenticator_mcp is a secure server that enables AI agents to retrieve 2FA codes and passwords from the Authenticator App. It automates login processes and enhances security by allowing AI assistants to handle credential retrieval.