OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.
To install OpenCTI Server for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install opencti-server --client claude
# Clone the repository git clone https://github.com/yourusername/opencti-mcp-server.git # Install dependencies cd opencti-mcp-server npm install # Build the project npm run build
Copy .env.example to .env and update with your OpenCTI credentials:
Required environment variables:
OPENCTI_URL: Your OpenCTI instance URLOPENCTI_TOKEN: Your OpenCTI API tokenCreate a configuration file in your MCP settings location:
{
"mcpServers": {
"opencti": {
"command": "node",
"args": ["path/to/opencti-server/build/index.js"],
"env": {
"OPENCTI_URL": "${OPENCTI_URL}", // Will be loaded from .env
"OPENCTI_TOKEN": "${OPENCTI_TOKEN}" // Will be loaded from .env
}
}
}
}
.env file or API tokens to version control.gitignore file is configured to exclude sensitive filesRetrieves the most recent threat intelligence reports.
{
"name": "get_latest_reports",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}
Retrieves a specific report by its ID.
{
"name": "get_report_by_id",
"arguments": {
"id": "report-uuid" // Required
}
}
Searches for malware information in the OpenCTI database.
{
"name": "search_malware",
"arguments": {
"query": "ransomware",
"first": 10 // Optional, defaults to 10
}
}
Searches for indicators of compromise.
{
"name": "search_indicators",
"arguments": {
"query": "domain",
"first": 10 // Optional, defaults to 10
}
}
Searches for threat actor information.
{
"name": "search_threat_actors",
"arguments": {
"query": "APT",
"first": 10 // Optional, defaults to 10
}
}
Retrieves user information by ID.
{
"name": "get_user_by_id",
"arguments": {
"id": "user-uuid" // Required
}
}
Lists all users in the system.
{
"name": "list_users",
"arguments": {}
}
Lists all groups with their members.
{
"name": "list_groups",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}
Lists all attack patterns in the system.
{
"name": "list_attack_patterns",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}
Retrieves campaign information by name.
{
"name": "get_campaign_by_name",
"arguments": {
"name": "campaign-name" // Required
}
}
Lists all system connectors.
{
"name": "list_connectors",
"arguments": {}
}
Lists all status templates.
{
"name": "list_status_templates",
"arguments": {}
}
Retrieves file information by ID.
{
"name": "get_file_by_id",
"arguments": {
"id": "file-uuid" // Required
}
}
Lists all files in the system.
{
"name": "list_files",
"arguments": {}
}
Lists all marking definitions.
{
"name": "list_marking_definitions",
"arguments": {}
}
Lists all available labels.
{
"name": "list_labels",
"arguments": {}
}
Contributions are welcome! Please feel free to submit pull requests.
MIT License
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4