A Model Context Protocol server that facilitates integration with OpenCTI, allowing users to query and retrieve cyber threat intelligence data via a standardized interface.
OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.
To install OpenCTI Server for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install opencti-server --client claude# Clone the repository
git clone https://github.com/yourusername/opencti-mcp-server.git
# Install dependencies
cd opencti-mcp-server
npm install
# Build the project
npm run buildCopy .env.example to .env and update with your OpenCTI credentials:
cp .env.example .envRequired environment variables:
- OPENCTI_URL: Your OpenCTI instance URL
- OPENCTI_TOKEN: Your OpenCTI API token
Create a configuration file in your MCP settings location:
{
"mcpServers": {
"opencti": {
"command": "node",
"args": ["path/to/opencti-server/build/index.js"],
"env": {
"OPENCTI_URL": "${OPENCTI_URL}", // Will be loaded from .env
"OPENCTI_TOKEN": "${OPENCTI_TOKEN}" // Will be loaded from .env
}
}
}
}.env file or API tokens to version control.gitignore file is configured to exclude sensitive filesRetrieves the most recent threat intelligence reports.
{
"name": "get_latest_reports",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}Retrieves a specific report by its ID.
{
"name": "get_report_by_id",
"arguments": {
"id": "report-uuid" // Required
}
}Searches for malware information in the OpenCTI database.
{
"name": "search_malware",
"arguments": {
"query": "ransomware",
"first": 10 // Optional, defaults to 10
}
}Searches for indicators of compromise.
{
"name": "search_indicators",
"arguments": {
"query": "domain",
"first": 10 // Optional, defaults to 10
}
}Searches for threat actor information.
{
"name": "search_threat_actors",
"arguments": {
"query": "APT",
"first": 10 // Optional, defaults to 10
}
}Retrieves user information by ID.
{
"name": "get_user_by_id",
"arguments": {
"id": "user-uuid" // Required
}
}Lists all users in the system.
{
"name": "list_users",
"arguments": {}
}Lists all groups with their members.
{
"name": "list_groups",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}Lists all attack patterns in the system.
{
"name": "list_attack_patterns",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}Retrieves campaign information by name.
{
"name": "get_campaign_by_name",
"arguments": {
"name": "campaign-name" // Required
}
}Lists all system connectors.
{
"name": "list_connectors",
"arguments": {}
}Lists all status templates.
{
"name": "list_status_templates",
"arguments": {}
}Retrieves file information by ID.
{
"name": "get_file_by_id",
"arguments": {
"id": "file-uuid" // Required
}
}Lists all files in the system.
{
"name": "list_files",
"arguments": {}
}Lists all marking definitions.
{
"name": "list_marking_definitions",
"arguments": {}
}Lists all available labels.
{
"name": "list_labels",
"arguments": {}
}Contributions are welcome! Please feel free to submit pull requests.
MIT License
[
{
"description": "ç²åææ°çOpenCTIå ±å",
"inputSchema": {
"properties": {
"first": {
"default": 10,
"description": "è¿åçµææ¸ééå¶",
"type": "number"
}
},
"type": "object"
},
"name": "get_latest_reports"
},
{
"description": "æ ¹æIDç²åOpenCTIå ±å",
"inputSchema": {
"properties": {
"id": {
"description": "å ±åID",
"type": "string"
}
},
"required": [
"id"
],
"type": "object"
},
"name": "get_report_by_id"
},
{
"description": "æå°OpenCTIä¸çææ¨",
"inputSchema": {
"properties": {
"first": {
"default": 10,
"description": "è¿åçµææ¸ééå¶",
"type": "number"
},
"query": {
"description": "æå°ééµå",
"type": "string"
}
},
"required": [
"query"
],
"type": "object"
},
"name": "search_indicators"
},
{
"description": "æå°OpenCTIä¸çæ¡æç¨å¼",
"inputSchema": {
"properties": {
"first": {
"default": 10,
"description": "è¿åçµææ¸ééå¶",
"type": "number"
},
"query": {
"description": "æå°ééµå",
"type": "string"
}
},
"required": [
"query"
],
"type": "object"
},
"name": "search_malware"
},
{
"description": "æå°OpenCTIä¸çå¨è
è¡çºè
",
"inputSchema": {
"properties": {
"first": {
"default": 10,
"description": "è¿åçµææ¸ééå¶",
"type": "number"
},
"query": {
"description": "æå°ééµå",
"type": "string"
}
},
"required": [
"query"
],
"type": "object"
},
"name": "search_threat_actors"
},
{
"description": "æ ¹æIDç²å使ç¨è
è³è¨",
"inputSchema": {
"properties": {
"id": {
"description": "使ç¨è
ID",
"type": "string"
}
},
"required": [
"id"
],
"type": "object"
},
"name": "get_user_by_id"
},
{
"description": "ååºææ使ç¨è
",
"inputSchema": {
"properties": {},
"type": "object"
},
"name": "list_users"
},
{
"description": "ååºææ群çµ",
"inputSchema": {
"properties": {
"first": {
"default": 10,
"description": "è¿åçµææ¸ééå¶",
"type": "number"
}
},
"type": "object"
},
"name": "list_groups"
},
{
"description": "ååºæææ»æ模å¼",
"inputSchema": {
"properties": {
"first": {
"default": 10,
"description": "è¿åçµææ¸ééå¶",
"type": "number"
}
},
"type": "object"
},
"name": "list_attack_patterns"
},
{
"description": "æ ¹æå稱ç²åè¡åè³è¨",
"inputSchema": {
"properties": {
"name": {
"description": "è¡åå稱",
"type": "string"
}
},
"required": [
"name"
],
"type": "object"
},
"name": "get_campaign_by_name"
},
{
"description": "ååºææé£æ¥å¨",
"inputSchema": {
"properties": {},
"type": "object"
},
"name": "list_connectors"
},
{
"description": "ååºææçæ
模æ¿",
"inputSchema": {
"properties": {},
"type": "object"
},
"name": "list_status_templates"
},
{
"description": "æ ¹æIDç²åæªæ¡è³è¨",
"inputSchema": {
"properties": {
"id": {
"description": "æªæ¡ID",
"type": "string"
}
},
"required": [
"id"
],
"type": "object"
},
"name": "get_file_by_id"
},
{
"description": "ååºæææªæ¡",
"inputSchema": {
"properties": {},
"type": "object"
},
"name": "list_files"
},
{
"description": "ååºæææ¨è¨å®ç¾©",
"inputSchema": {
"properties": {},
"type": "object"
},
"name": "list_marking_definitions"
},
{
"description": "ååºæææ¨ç±¤",
"inputSchema": {
"properties": {},
"type": "object"
},
"name": "list_labels"
}
]