home / mcp / cortex mcp server
MCP Server for Cortex
Configuration
View docs{
"mcpServers": {
"gbrigandi-mcp-server-cortex": {
"command": "/opt/mcp-servers/mcp-server-cortex",
"args": [],
"env": {
"CORTEX_API_KEY": "your_cortex_api_key_here",
"CORTEX_ENDPOINT": "http://your-cortex-instance:9000/api"
}
}
}
}You expose Cortex’s observable analysis capabilities as MCP-compatible tools so large language models and other MCP clients can request threat intelligence analyses from a centralized Cortex instance. This bridge lets you enrich observables through a secure, scalable MCP service while keeping Cortex configurations centralized and controllable.
You interact with the MCP Cortex server by configuring an MCP client to launch or connect to the server, and by using the four available analysis tools to enrich observables. Each tool routes your request to Cortex through the MCP layer, which returns a structured job report when the analysis completes.
Key usage patterns you can follow: - Enrich an IP by running an abuse IP reputation check - Analyze a domain, URL, or email with AbuseFinder to gather intelligence and context - Scan a URL with VirusTotal for malware signals - Analyze a URL with a Urlscan.io-based method for additional URL reputation data
Prerequisites you need before installation:
- A Rust toolchain installed on your system.
- A running Cortex instance accessible from the MCP server host, with an API key that can list analyzers and run jobs.
- Specific Cortex analyzers enabled and configured in Cortex (for example AbuseIPDB_1_0, Abuse_Finder_3_0, VirusTotal_Scan_3_1, Urlscan_io_Scan_0_1_0). Each analyzer should have its necessary API keys configured in Cortex.
Step by step install flow when pulling a pre-built binary is recommended for most setups.
1) Download the latest pre-compiled binary for your OS from the releases page. For Linux, macOS, or Windows, choose the appropriate binary such as mcp-server-cortex-linux-amd64, mcp-server-cortex-macos-amd64, or mcp-server-cortex-windows-amd64.exe.
2) Move the binary to a suitable location on your system. For example, on Linux/macOS you might place it in /usr/local/bin. On Windows, you could place it under a dedicated folder like C:\Program Files\MCP Servers\.
3) Make the binary executable on Unix-like systems.
chmod +x /path/to/your/mcp-server-cortex
# Ensure the directory is in your PATH for easy execution
export PATH="$PATH:/path/to/your"
# Or add the binary directory to PATH in your shell profileThe server is configured via environment variables. You provide the Cortex API endpoint and the API key to authorize requests. You can also enable verbose logging to help diagnose issues.
Example environment setup for running the server with Cortex access.
CORTEX_ENDPOINT=http://your-cortex-instance:9000/api
CORTEX_API_KEY=your_cortex_api_key_here
RUST_LOG=info
./mcp-server-cortexIf you are configuring an MCP client like Claude Desktop, point the client at the local server executable and pass the necessary environment variables so the server can reach Cortex.
{
"mcpServers": {
"cortex": {
"command": "/opt/mcp-servers/mcp-server-cortex",
"args": [],
"env": {
"CORTEX_ENDPOINT": "http://your-cortex-instance:9000/api",
"CORTEX_API_KEY": "your_cortex_api_key_here"
}
}
}
}Analyzes an IP address using a Cortex-based AbuseIPDB-like analyzer and returns the job report when complete.
Analyzes data such as IPs, domains, URLs, or emails using a Cortex AbuseFinder analyzer and returns the job report.
Analyzes a URL using a VirusTotal-based analyzer via Cortex and returns the resulting job report.
Analyzes a URL using a Urlscan.io analyzer via Cortex and returns the resulting job report.