mcplist
OP

OpenCTI

Created 6 months ago

OpenCTI MCP Server for querying threat intelligence data.

Visit Homepage
development documentation public

What is OpenCTI?

Interact with OpenCTI platform to retrieve threat intelligence data including reports, indicators, malware and threat actors.

Documentation

OpenCTI MCP Server

Overview

OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.

Features

  • Fetch and search threat intelligence data
  • Get latest reports and search by ID
  • Search for malware information
  • Query indicators of compromise
  • Search for threat actors
  • User and group management
  • List all users and groups
  • Get user details by ID
  • STIX object operations
  • List attack patterns
  • Get campaign information by name
  • System management
  • List connectors
  • View status templates
  • File operations
  • List all files
  • Get file details by ID
  • Reference data access
  • List marking definitions
  • View available labels
  • Customizable query limits
  • Full GraphQL query support

Prerequisites

  • Node.js 16 or higher
  • Access to an OpenCTI instance
  • OpenCTI API token

Installation# Installing via Smithery

To install OpenCTI Server for Claude Desktop automatically via Smithery:

npx -y @smithery/cli install opencti-server --client claude
```\n\n### Manual Installation
```bash\n\n# Clone the repository
git clone https://github.com/yourusername/opencti-mcp-server.git\n\n# Install dependencies
cd opencti-mcp-server
npm install\n\n# Build the project
npm run build
```\n\n## Configuration# Environment Variables
Copy `.env.example` to `.env` and update with your OpenCTI credentials:
```bash
cp .env.example .env

Required environment variables:

  • OPENCTI_URL: Your OpenCTI instance URL
  • OPENCTI_TOKEN: Your OpenCTI API token\n\n### MCP Settings Create a configuration file in your MCP settings location:
{
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}", // Will be loaded from .env
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}" // Will be loaded from .env
      }
    }
  }
}
```\n\n### Security Notes
- Never commit `.env` file or API tokens to version control
- Keep your OpenCTI credentials secure
- The `.gitignore` file is configured to exclude sensitive files

## Available Tools# Reports\n\n#### get_latest_reports
Retrieves the most recent threat intelligence reports.
```typescript
{
  "name": "get_latest_reports",
  "arguments": {
    "first": 10 // Optional, defaults to 10
  }
}
```\n\n#### get_report_by_id
Retrieves a specific report by its ID.
```typescript
{
  "name": "get_report_by_id",
  "arguments": {
    "id": "report-uuid" // Required
  }
}
```\n\n### Search Operations## search_malware
Searches for malware information in the OpenCTI database.
```typescript
{
  "name": "search_malware",
  "arguments": {
    "query": "ransomware",
    "first": 10 // Optional, defaults to 10
  }
}
```\n\n#### search_indicators
Searches for indicators of compromise.
```typescript
{
  "name": "search_indicators",
  "arguments": {
    "query": "domain",
    "first": 10 // Optional, defaults to 10
  }
}
```\n\n#### search_threat_actors
Searches for threat actor information.
```typescript
{
  "name": "search_threat_actors",
  "arguments": {
    "query": "APT",
    "first": 10 // Optional, defaults to 10
  }
}
```\n\n### User Management## get_user_by_id
Retrieves user information by ID.
```typescript
{
  "name": "get_user_by_id",
  "arguments": {
    "id": "user-uuid" // Required
  }
}
```\n\n#### list_users
Lists all users in the system.
```typescript
{
  "name": "list_users",
  "arguments": {}
}
```\n\n#### list_groups
Lists all groups with their members.
```typescript
{
  "name": "list_groups",
  "arguments": {
    "first": 10 // Optional, defaults to 10
  }
}
```\n\n### STIX Objects## list_attack_patterns
Lists all attack patterns in the system.
```typescript
{
  "name": "list_attack_patterns",
  "arguments": {
    "first": 10 // Optional, defaults to 10
  }
}
```\n\n#### get_campaign_by_name
Retrieves campaign information by name.
```typescript
{
  "name": "get_campaign_by_name",
  "arguments": {
    "name": "campaign-name" // Required
  }
}
```\n\n### System Management## list_connectors
Lists all system connectors.
```typescript
{
  "name": "list_connectors",
  "arguments": {}
}
```\n\n#### list_status_templates
Lists all status templates.
```typescript
{
  "name": "list_status_templates",
  "arguments": {}
}
```\n\n### File Operations## get_file_by_id
Retrieves file information by ID.
```typescript
{
  "name": "get_file_by_id",
  "arguments": {
    "id": "file-uuid" // Required
  }
}
```\n\n#### list_files
Lists all files in the system.
```typescript
{
  "name": "list_files",
  "arguments": {}
}
```\n\n### Reference Data## list_marking_definitions
Lists all marking definitions.
```typescript
{
  "name": "list_marking_definitions",
  "arguments": {}
}
```\n\n#### list_labels
Lists all available labels.
```typescript
{
  "name": "list_labels",
  "arguments": {}
}
```\n\n## Contributing
Contributions are welcome! Please feel free to submit pull requests.\n\n## License
MIT License

Server Config 

{
  "mcpServers": {
    "opencti-server": {
      "command": "npx",
      "args": [
        "opencti"
      ]
    }
  }
}

Links & Status

Repository: github.com
Hosted: No
Global: No
Official: Yes

Project Info

Hosted Featured
Created At: May 23, 2025
Updated At: Aug 07, 2025
Author: Spathodea Network
Category: community
License: MIT License
Tags:
development documentation public