OpenCTI MCP Server

Overview

OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.

Features

Fetch and search threat intelligence data
Get latest reports and search by ID
Search for malware information
Query indicators of compromise
Search for threat actors
User and group management
List all users and groups
Get user details by ID
STIX object operations
List attack patterns
Get campaign information by name
System management
List connectors
View status templates
File operations
List all files
Get file details by ID
Reference data access
List marking definitions
View available labels
Customizable query limits
Full GraphQL query support

Prerequisites

Node.js 16 or higher
Access to an OpenCTI instance
OpenCTI API token

Installation

Installing via Smithery

To install OpenCTI Server for Claude Desktop automatically via Smithery:

bash

npx -y @smithery/cli install opencti-server --client claude

Manual Installation

bash

# Clone the repository
git clone https://github.com/yourusername/opencti-mcp-server.git

# Install dependencies
cd opencti-mcp-server
npm install

# Build the project
npm run build

Configuration

Environment Variables

Copy .env.example to .env and update with your OpenCTI credentials:

bash

cp .env.example .env

Required environment variables:

OPENCTI_URL: Your OpenCTI instance URL
OPENCTI_TOKEN: Your OpenCTI API token

MCP Settings

Create a configuration file in your MCP settings location:

json

{
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",  // Will be loaded from .env
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"  // Will be loaded from .env
      }
    }
  }
}

Security Notes

Never commit .env file or API tokens to version control
Keep your OpenCTI credentials secure
The .gitignore file is configured to exclude sensitive files

Available Tools

Reports

get_latest_reports

Retrieves the most recent threat intelligence reports.

typescript

{
  "name": "get_latest_reports",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

get_report_by_id

Retrieves a specific report by its ID.

typescript

{
  "name": "get_report_by_id",
  "arguments": {
    "id": "report-uuid"  // Required
  }
}

Search Operations

search_malware

Searches for malware information in the OpenCTI database.

typescript

{
  "name": "search_malware",
  "arguments": {
    "query": "ransomware",
    "first": 10  // Optional, defaults to 10
  }
}

search_indicators

Searches for indicators of compromise.

typescript

{
  "name": "search_indicators",
  "arguments": {
    "query": "domain",
    "first": 10  // Optional, defaults to 10
  }
}

search_threat_actors

Searches for threat actor information.

typescript

{
  "name": "search_threat_actors",
  "arguments": {
    "query": "APT",
    "first": 10  // Optional, defaults to 10
  }
}

User Management

get_user_by_id

Retrieves user information by ID.

typescript

{
  "name": "get_user_by_id",
  "arguments": {
    "id": "user-uuid"  // Required
  }
}

list_users

Lists all users in the system.

typescript

{
  "name": "list_users",
  "arguments": {}
}

list_groups

Lists all groups with their members.

typescript

{
  "name": "list_groups",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

STIX Objects

list_attack_patterns

Lists all attack patterns in the system.

typescript

{
  "name": "list_attack_patterns",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

get_campaign_by_name

Retrieves campaign information by name.

typescript

{
  "name": "get_campaign_by_name",
  "arguments": {
    "name": "campaign-name"  // Required
  }
}

System Management

list_connectors

Lists all system connectors.

typescript

{
  "name": "list_connectors",
  "arguments": {}
}

list_status_templates

Lists all status templates.

typescript

{
  "name": "list_status_templates",
  "arguments": {}
}

File Operations

get_file_by_id

Retrieves file information by ID.

typescript

{
  "name": "get_file_by_id",
  "arguments": {
    "id": "file-uuid"  // Required
  }
}

list_files

Lists all files in the system.

typescript

{
  "name": "list_files",
  "arguments": {}
}

Reference Data

list_marking_definitions

Lists all marking definitions.

typescript

{
  "name": "list_marking_definitions",
  "arguments": {}
}

list_labels

Lists all available labels.

typescript

{
  "name": "list_labels",
  "arguments": {}
}

Contributing

Contributions are welcome! Please feel free to submit pull requests.

License

MIT License

Opencti Mcp

Documentation

OpenCTI MCP Server

Overview

Features

Prerequisites

Installation

Installing via Smithery

Manual Installation

Configuration

Environment Variables

MCP Settings

Security Notes

Available Tools

Available Tools

Reports

get_latest_reports

get_report_by_id

Search Operations

search_malware

search_indicators

search_threat_actors

User Management

get_user_by_id

list_users

list_groups

STIX Objects

list_attack_patterns

get_campaign_by_name

System Management

list_connectors

list_status_templates

File Operations

get_file_by_id

list_files

Reference Data

list_marking_definitions

list_labels

Contributing

License

Similar MCP

Mcp Open Library

Quran Mcp Server

Anilist Mcp

Ashra Mcp

Trending MCP

Playwright Mcp

Serena

Mcp Playwright

Mcp Server Cloudflare

Mcp Open Library

Quran Mcp Server

Anilist Mcp

Ashra Mcp

Playwright Mcp

Serena

Mcp Playwright

Mcp Server Cloudflare