Back to MCP Catalog

OpenCTI MCP Server

SecurityTypeScript
Access and query threat intelligence data from OpenCTI platform
Available Tools

get_latest_reports

Retrieves the most recent threat intelligence reports

first

get_report_by_id

Retrieves a specific report by its ID

id

search_malware

Searches for malware information in the OpenCTI database

queryfirst

search_indicators

Searches for indicators of compromise

queryfirst

search_threat_actors

Searches for threat actor information

queryfirst

get_user_by_id

Retrieves user information by ID

id

list_users

Lists all users in the system

list_groups

Lists all groups with their members

first

list_attack_patterns

Lists all attack patterns in the system

first

get_campaign_by_name

Retrieves campaign information by name

name

list_connectors

Lists all system connectors

list_status_templates

Lists all status templates

get_file_by_id

Retrieves file information by ID

id

list_files

Lists all files in the system

list_marking_definitions

Lists all marking definitions

list_labels

Lists all available labels

OpenCTI MCP Server provides seamless integration with the Open Cyber Threat Intelligence (OpenCTI) platform. It enables security analysts, threat intelligence teams, and cybersecurity professionals to query and retrieve comprehensive threat intelligence data through a standardized interface. With this MCP, users can search for malware information, indicators of compromise, threat actors, and access detailed reports. The integration also supports user management, STIX object operations, and system administration tasks, making it a powerful tool for organizations looking to leverage their threat intelligence data within AI assistants.

Overview

OpenCTI MCP Server connects to your OpenCTI instance, allowing you to query threat intelligence data directly through AI assistants. This integration enables security teams to quickly access critical threat information, search for indicators of compromise, and retrieve detailed reports on threat actors and malware.

Prerequisites

Before installing the OpenCTI MCP Server, ensure you have:

  • Node.js 16 or higher installed
  • Access to an OpenCTI instance
  • A valid OpenCTI API token

Installation

Step 1: Clone the Repository

git clone https://github.com/Spathodea-Network/opencti-mcp.git
cd opencti-mcp

Step 2: Install Dependencies

npm install

Step 3: Build the Project

npm run build

Step 4: Configure Environment Variables

Create a .env file based on the provided example:

cp .env.example .env

Edit the .env file and add your OpenCTI credentials:

OPENCTI_URL=https://your-opencti-instance.com
OPENCTI_TOKEN=your-api-token

Step 5: Configure MCP Client

Add the OpenCTI MCP Server to your MCP client configuration. The exact location depends on your client, but the configuration should look similar to:

{
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-mcp/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
      }
    }
  }
}

Replace path/to/opencti-mcp with the actual path to your installation.

Usage

Once installed, you can use the OpenCTI MCP Server to query threat intelligence data. The server provides various tools for different types of queries:

  1. Reports: Retrieve the latest threat intelligence reports or search for specific reports by ID.
  2. Search Operations: Search for malware information, indicators of compromise, or threat actors.
  3. User Management: List users and groups or get details about specific users.
  4. STIX Objects: List attack patterns or get campaign information.
  5. System Management: List connectors and status templates.
  6. File Operations: List files or get details about specific files.
  7. Reference Data: Access marking definitions and labels.

Security Considerations

  • Never commit your .env file or API tokens to version control
  • Keep your OpenCTI credentials secure
  • Ensure your OpenCTI instance is properly secured
  • Review access permissions regularly

Troubleshooting

If you encounter issues:

  1. Verify your OpenCTI URL and token are correct
  2. Check that your OpenCTI instance is accessible
  3. Ensure Node.js is properly installed
  4. Review the server logs for error messages

For additional help, refer to the GitHub repository or open an issue.

Related MCPs

Netskope NPA
SecurityTypeScript

Manage Netskope Network Private Access infrastructure through natural language

DNStwist
SecurityJavaScript

Detect typosquatting, phishing, and domain impersonation with DNS fuzzing

Maigret OSINT Tool
SecurityJavaScript

Search for usernames across social networks and analyze URLs for OSINT research

About Model Context Protocol

Model Context Protocol (MCP) allows AI models to access external tools and services, extending their capabilities beyond their training data.

Generate Cursor Documentation

Save time on coding by generating custom documentation and prompts for Cursor IDE.