Labsco
Spathodea-Network logo

OpenCTI MCP Server

β˜… 39

from Spathodea-Network

Integrates with the OpenCTI platform to query and retrieve threat intelligence data.

πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedFreeAdvanced setup

OpenCTI MCP Server

smithery badge Traditional Chinese (繁體中文)

<a href="https://glama.ai/mcp/servers/ml61kiz1gm"><img width="380" height="200" src="https://glama.ai/mcp/servers/ml61kiz1gm/badge" alt="OpenCTI Server MCP server" /></a>

Overview

OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.

Features

  • Fetch and search threat intelligence data
    • Get latest reports and search by ID
    • Search for malware information
    • Query indicators of compromise
    • Search for threat actors
  • User and group management
    • List all users and groups
    • Get user details by ID
  • STIX object operations
    • List attack patterns
    • Get campaign information by name
  • System management
    • List connectors
    • View status templates
  • File operations
    • List all files
    • Get file details by ID
  • Reference data access
    • List marking definitions
    • View available labels
  • Customizable query limits
  • Full GraphQL query support

Available Tools

Available Tools

Reports

get_latest_reports

Retrieves the most recent threat intelligence reports.

{
  "name": "get_latest_reports",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

get_report_by_id

Retrieves a specific report by its ID.

{
  "name": "get_report_by_id",
  "arguments": {
    "id": "report-uuid"  // Required
  }
}

Search Operations

search_malware

Searches for malware information in the OpenCTI database.

{
  "name": "search_malware",
  "arguments": {
    "query": "ransomware",
    "first": 10  // Optional, defaults to 10
  }
}

search_indicators

Searches for indicators of compromise.

{
  "name": "search_indicators",
  "arguments": {
    "query": "domain",
    "first": 10  // Optional, defaults to 10
  }
}

search_threat_actors

Searches for threat actor information.

{
  "name": "search_threat_actors",
  "arguments": {
    "query": "APT",
    "first": 10  // Optional, defaults to 10
  }
}

User Management

get_user_by_id

Retrieves user information by ID.

{
  "name": "get_user_by_id",
  "arguments": {
    "id": "user-uuid"  // Required
  }
}

list_users

Lists all users in the system.

{
  "name": "list_users",
  "arguments": {}
}

list_groups

Lists all groups with their members.

{
  "name": "list_groups",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

STIX Objects

list_attack_patterns

Lists all attack patterns in the system.

{
  "name": "list_attack_patterns",
  "arguments": {
    "first": 10  // Optional, defaults to 10
  }
}

get_campaign_by_name

Retrieves campaign information by name.

{
  "name": "get_campaign_by_name",
  "arguments": {
    "name": "campaign-name"  // Required
  }
}

System Management

list_connectors

Lists all system connectors.

{
  "name": "list_connectors",
  "arguments": {}
}

list_status_templates

Lists all status templates.

{
  "name": "list_status_templates",
  "arguments": {}
}

File Operations

get_file_by_id

Retrieves file information by ID.

{
  "name": "get_file_by_id",
  "arguments": {
    "id": "file-uuid"  // Required
  }
}

list_files

Lists all files in the system.

{
  "name": "list_files",
  "arguments": {}
}

Reference Data

list_marking_definitions

Lists all marking definitions.

{
  "name": "list_marking_definitions",
  "arguments": {}
}

list_labels

Lists all available labels.

{
  "name": "list_labels",
  "arguments": {}
}