mcplist
OM

OpenCTI MCP Server for querying threat intelligence data.

Created 3 months ago

OpenCTI MCP Server for querying threat intelligence data.

Visit Homepage
development documentation public

What is OpenCTI MCP Server for querying threat intelligence data.?

OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface, supporting various operations such as fetching reports, searching malware, and managing users.

Documentation

OpenCTI MCP Server

smithery badge Traditional Chinese (繁體中文)

Overview

OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.

Features

  • Fetch and search threat intelligence data
  • Get latest reports and search by ID
  • Search for malware information
  • Query indicators of compromise
  • Search for threat actors
  • User and group management
  • List all users and groups
  • Get user details by ID
  • STIX object operations
  • List attack patterns
  • Get campaign information by name
  • System management
  • List connectors
  • View status templates
  • File operations
  • List all files
  • Get file details by ID
  • Reference data access
  • List marking definitions
  • View available labels
  • Customizable query limits
  • Full GraphQL query support

Prerequisites

  • Node.js 16 or higher
  • Access to an OpenCTI instance
  • OpenCTI API token

Installation# Installing via Smithery

To install OpenCTI Server for Claude Desktop automatically via Smithery:

npx -y @smithery/cli install opencti-server --client claude

Manual Installation

git clone https://github.com/yourusername/opencti-mcp-server.git

# Install dependencies
cd opencti-mcp-server
npm install

# Build the project
npm run build

Configuration# Environment Variables

Copy .env.example to .env and update with your OpenCTI credentials:

cp .env.example .env

Required environment variables:

  • OPENCTI_URL: Your OpenCTI instance URL
  • OPENCTI_TOKEN: Your OpenCTI API token

MCP Settings

Create a configuration file in your MCP settings location:

{
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",  // Will be loaded from .env
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"  // Will be loaded from .env
      }
    }
  }
}

Security Notes

  • Never commit .env file or API tokens to version control
  • Keep your OpenCTI credentials secure
  • The .gitignore file is configured to exclude sensitive files

Available Tools Available Tools

Reports## get_latest_reports

Retrieves the most recent threat intelligence reports.

{
  "name": "get_latest_reports",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

get_report_by_id

Retrieves a specific report by its ID.

{
  "name": "get_report_by_id",
  "arguments": {
    "id": "report-uuid"  // Required
  }
}

Search Operations## search_malware

Searches for malware information in the OpenCTI database.

{
  "name": "search_malware",
  "arguments": {
    "query": "ransomware",
    "first": 10  // Optional, defaults to 10
  }
}

search_indicators

Searches for indicators of compromise.

{
  "name": "search_indicators",
  "arguments": {
    "query": "domain",
    "first": 10  // Optional, defaults to 10
  }
}

search_threat_actors

Searches for threat actor information.

{
  "name": "search_threat_actors",
  "arguments": {
    "query": "APT",
    "first": 10  // Optional, defaults to 10
  }
}

User Management## get_user_by_id

Retrieves user information by ID.

{
  "name": "get_user_by_id",
  "arguments": {
    "id": "user-uuid"  // Required
  }
}

list_users

Lists all users in the system.

{
  "name": "list_users",
  "arguments": {}
}

list_groups

Lists all groups with their members.

{
  "name": "list_groups",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

STIX Objects## list_attack_patterns

Lists all attack patterns in the system.

{
  "name": "list_attack_patterns",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

get_campaign_by_name

Retrieves campaign information by name.

{
  "name": "get_campaign_by_name",
  "arguments": {
    "name": "campaign-name"  // Required
  }
}

System Management## list_connectors

Lists all system connectors.

{
  "name": "list_connectors",
  "arguments": {}
}

list_status_templates

Lists all status templates.

{
  "name": "list_status_templates",
  "arguments": {}
}

File Operations## get_file_by_id

Retrieves file information by ID.

{
  "name": "get_file_by_id",
  "arguments": {
    "id": "file-uuid"  // Required
  }
}

list_files

Lists all files in the system.

{
  "name": "list_files",
  "arguments": {}
}

Reference Data## list_marking_definitions

Lists all marking definitions.

{
  "name": "list_marking_definitions",
  "arguments": {}
}

list_labels

Lists all available labels.

{
  "name": "list_labels",
  "arguments": {}
}

Contributing

Contributions are welcome! Please feel free to submit pull requests.

License

MIT License

Server Config 

{
  "mcpServers": {
    "opencti-mcp-server-for-querying-threat-intelligence-data.-server": {
      "command": "npx",
      "args": [
        "opencti-mcp-server-for-querying-threat-intelligence-data."
      ]
    }
  }
}

Links & Status

Repository: github.com
Hosted: No
Global: No
Official: Yes

Project Info

Hosted Featured
Created At: Aug 08, 2025
Updated At: Aug 08, 2025
Author: Spathodea Network
Category: Cyber Threat Intelligence
License: MIT License
Tags:
development documentation public