← Back to Servers
O

OpenCTI

community
other

Interact with OpenCTI platform to retrieve threat intelligence data including reports, indicators, malware and threat actors.

Source Code

OpenCTI MCP Server

smithery badge Traditional Chinese (繁體中文)
<a href="https://glama.ai/mcp/servers/ml61kiz1gm"><img width="380" height="200" src="https://glama.ai/mcp/servers/ml61kiz1gm/badge" alt="OpenCTI Server MCP server" /></a>

Overview

OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.

Features

  • Fetch and search threat intelligence data
    • Get latest reports and search by ID
    • Search for malware information
    • Query indicators of compromise
    • Search for threat actors
  • User and group management
    • List all users and groups
    • Get user details by ID
  • STIX object operations
    • List attack patterns
    • Get campaign information by name
  • System management
    • List connectors
    • View status templates
  • File operations
    • List all files
    • Get file details by ID
  • Reference data access
    • List marking definitions
    • View available labels
  • Customizable query limits
  • Full GraphQL query support

Prerequisites

  • Node.js 16 or higher
  • Access to an OpenCTI instance
  • OpenCTI API token

Installation

Installing via Smithery

To install OpenCTI Server for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install opencti-server --client claude

Manual Installation

# Clone the repository
git clone https://github.com/yourusername/opencti-mcp-server.git

# Install dependencies
cd opencti-mcp-server
npm install

# Build the project
npm run build

Configuration

Environment Variables

Copy 
.env.example
to 
.env
and update with your OpenCTI credentials:
cp .env.example .env
Required environment variables:
  • OPENCTI_URL
    : Your OpenCTI instance URL
  • OPENCTI_TOKEN
    : Your OpenCTI API token

MCP Settings

Create a configuration file in your MCP settings location:
{
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",  // Will be loaded from .env
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"  // Will be loaded from .env
      }
    }
  }
}

Security Notes

  • Never commit 
    .env
    file or API tokens to version control
  • Keep your OpenCTI credentials secure
  • The 
    .gitignore
    file is configured to exclude sensitive files

Available Tools

Available Tools

Reports

get_latest_reports

Retrieves the most recent threat intelligence reports.
{
  "name": "get_latest_reports",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

get_report_by_id

Retrieves a specific report by its ID.
{
  "name": "get_report_by_id",
  "arguments": {
    "id": "report-uuid"  // Required
  }
}

Search Operations

search_malware

Searches for malware information in the OpenCTI database.
{
  "name": "search_malware",
  "arguments": {
    "query": "ransomware",
    "first": 10  // Optional, defaults to 10
  }
}

search_indicators

Searches for indicators of compromise.
{
  "name": "search_indicators",
  "arguments": {
    "query": "domain",
    "first": 10  // Optional, defaults to 10
  }
}

search_threat_actors

Searches for threat actor information.
{
  "name": "search_threat_actors",
  "arguments": {
    "query": "APT",
    "first": 10  // Optional, defaults to 10
  }
}

User Management

get_user_by_id

Retrieves user information by ID.
{
  "name": "get_user_by_id",
  "arguments": {
    "id": "user-uuid"  // Required
  }
}

list_users

Lists all users in the system.
{
  "name": "list_users",
  "arguments": {}
}

list_groups

Lists all groups with their members.
{
  "name": "list_groups",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

STIX Objects

list_attack_patterns

Lists all attack patterns in the system.
{
  "name": "list_attack_patterns",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

get_campaign_by_name

Retrieves campaign information by name.
{
  "name": "get_campaign_by_name",
  "arguments": {
    "name": "campaign-name"  // Required
  }
}

System Management

list_connectors

Lists all system connectors.
{
  "name": "list_connectors",
  "arguments": {}
}

list_status_templates

Lists all status templates.
{
  "name": "list_status_templates",
  "arguments": {}
}

File Operations

get_file_by_id

Retrieves file information by ID.
{
  "name": "get_file_by_id",
  "arguments": {
    "id": "file-uuid"  // Required
  }
}

list_files

Lists all files in the system.
{
  "name": "list_files",
  "arguments": {}
}

Reference Data

list_marking_definitions

Lists all marking definitions.
{
  "name": "list_marking_definitions",
  "arguments": {}
}

list_labels

Lists all available labels.
{
  "name": "list_labels",
  "arguments": {}
}

Contributing

Contributions are welcome! Please feel free to submit pull requests.

License

MIT License

Related Servers

E

Everything

reference

Reference / test server with prompts, resources, and tools

View Details
M

Memory

reference

Knowledge graph-based persistent memory system

View Details
P

Puppeteer

reference

Browser automation and web scraping

View Details
S

Sentry

reference

Retrieving and analyzing issues from Sentry.io

View Details
S

Sequential Thinking

reference

Dynamic and reflective problem-solving through thought sequences

View Details