OpenCTI MCP Server
Overview
OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.
Features
- Fetch and search threat intelligence data
- Get latest reports and search by ID
- Search for malware information
- Query indicators of compromise
- Search for threat actors
- User and group management
- List all users and groups
- Get user details by ID
- STIX object operations
- List attack patterns
- Get campaign information by name
- System management
- List connectors
- View status templates
- File operations
- List all files
- Get file details by ID
- Reference data access
- List marking definitions
- View available labels
- Customizable query limits
- Full GraphQL query support
Prerequisites
- Node.js 16 or higher
- Access to an OpenCTI instance
- OpenCTI API token
Installation
Installing via Smithery
To install OpenCTI Server for Claude Desktop automatically via Smithery:
1npx -y @smithery/cli install opencti-server --client claude
Manual Installation
1# Clone the repository 2git clone https://github.com/yourusername/opencti-mcp-server.git 3 4# Install dependencies 5cd opencti-mcp-server 6npm install 7 8# Build the project 9npm run build
Configuration
Environment Variables
Copy .env.example to .env and update with your OpenCTI credentials:
1cp .env.example .env
Required environment variables:
OPENCTI_URL: Your OpenCTI instance URLOPENCTI_TOKEN: Your OpenCTI API token
MCP Settings
Create a configuration file in your MCP settings location:
1{ 2 "mcpServers": { 3 "opencti": { 4 "command": "node", 5 "args": ["path/to/opencti-server/build/index.js"], 6 "env": { 7 "OPENCTI_URL": "${OPENCTI_URL}", // Will be loaded from .env 8 "OPENCTI_TOKEN": "${OPENCTI_TOKEN}" // Will be loaded from .env 9 } 10 } 11 } 12}
Security Notes
- Never commit
.envfile or API tokens to version control - Keep your OpenCTI credentials secure
- The
.gitignorefile is configured to exclude sensitive files
Available Tools
Available Tools
Reports
get_latest_reports
Retrieves the most recent threat intelligence reports.
1{ 2 "name": "get_latest_reports", 3 "arguments": { 4 "first": 10 // Optional, defaults to 10 5 } 6}
get_report_by_id
Retrieves a specific report by its ID.
1{ 2 "name": "get_report_by_id", 3 "arguments": { 4 "id": "report-uuid" // Required 5 } 6}
Search Operations
search_malware
Searches for malware information in the OpenCTI database.
1{ 2 "name": "search_malware", 3 "arguments": { 4 "query": "ransomware", 5 "first": 10 // Optional, defaults to 10 6 } 7}
search_indicators
Searches for indicators of compromise.
1{ 2 "name": "search_indicators", 3 "arguments": { 4 "query": "domain", 5 "first": 10 // Optional, defaults to 10 6 } 7}
search_threat_actors
Searches for threat actor information.
1{ 2 "name": "search_threat_actors", 3 "arguments": { 4 "query": "APT", 5 "first": 10 // Optional, defaults to 10 6 } 7}
User Management
get_user_by_id
Retrieves user information by ID.
1{ 2 "name": "get_user_by_id", 3 "arguments": { 4 "id": "user-uuid" // Required 5 } 6}
list_users
Lists all users in the system.
1{ 2 "name": "list_users", 3 "arguments": {} 4}
list_groups
Lists all groups with their members.
1{ 2 "name": "list_groups", 3 "arguments": { 4 "first": 10 // Optional, defaults to 10 5 } 6}
STIX Objects
list_attack_patterns
Lists all attack patterns in the system.
1{ 2 "name": "list_attack_patterns", 3 "arguments": { 4 "first": 10 // Optional, defaults to 10 5 } 6}
get_campaign_by_name
Retrieves campaign information by name.
1{ 2 "name": "get_campaign_by_name", 3 "arguments": { 4 "name": "campaign-name" // Required 5 } 6}
System Management
list_connectors
Lists all system connectors.
1{ 2 "name": "list_connectors", 3 "arguments": {} 4}
list_status_templates
Lists all status templates.
1{ 2 "name": "list_status_templates", 3 "arguments": {} 4}
File Operations
get_file_by_id
Retrieves file information by ID.
1{ 2 "name": "get_file_by_id", 3 "arguments": { 4 "id": "file-uuid" // Required 5 } 6}
list_files
Lists all files in the system.
1{ 2 "name": "list_files", 3 "arguments": {} 4}
Reference Data
list_marking_definitions
Lists all marking definitions.
1{ 2 "name": "list_marking_definitions", 3 "arguments": {} 4}
list_labels
Lists all available labels.
1{ 2 "name": "list_labels", 3 "arguments": {} 4}
Contributing
Contributions are welcome! Please feel free to submit pull requests.
License
MIT License