home / mcp / opencti mcp server
Provides an MCP interface to query and retrieve OpenCTI threat intelligence data via Node.js with environment-based credentials.
Configuration
View docs{
"mcpServers": {
"spathodea-network-opencti-mcp": {
"command": "node",
"args": [
"path/to/opencti-server/build/index.js"
],
"env": {
"OPENCTI_URL": "${OPENCTI_URL}",
"OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
}
}
}
}OpenCTI MCP Server provides a standardized interface to query and retrieve threat intelligence data from an OpenCTI instance. It enables you to fetch reports, search for malware, indicators, actors, and STIX objects, manage users and groups, access reference data, and perform common system operations through a consistent MCP API.
Connect your MCP client to the OpenCTI MCP Server to perform queries and actions across threat intelligence data. You can fetch the latest reports, search for malware information, indicators of compromise, and threat actors. You can also access STIX objects like attack patterns and campaigns, list system connectors and status templates, and manage files and references. Use the provided functions to retrieve specific items by ID, or run broad searches to discover new or relevant threat intelligence. All operations are exposed through clear endpoints and return structured results that you can integrate into your workflows, dashboards, or automation.
Prerequisites you need before installing the server:
- Node.js 16 or higher
- Access to an OpenCTI instance
- An OpenCTI API token
# 1) Installing via Smithery
npx -y @smithery/cli install opencti-server --client claude
# 2) Manual Installation
# Clone the repository
git clone https://github.com/yourusername/opencti-mcp-server.git
# Install dependencies
cd opencti-mcp-server
npm install
# Build the project
npm run buildEnvironment and MCP configuration for running the server involves providing your OpenCTI instance details and tokens. Copy the example environment setup and adjust with your credentials to enable secure communication with OpenCTI.
cp .env.example .env
```
Required environment variables:
- OPENCTI_URL: Your OpenCTI instance URL
- OPENCTI_TOKEN: Your OpenCTI API tokenCreate a configuration file for MCP settings. The configuration wires the OpenCTI MCP Server into your MCP runtime and loads credentials from your environment.
{
"mcpServers": {
"opencti": {
"command": "node",
"args": ["path/to/opencti-server/build/index.js"],
"env": {
"OPENCTI_URL": "${OPENCTI_URL}",
"OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
}
}
}
}Do not commit the .env file or API tokens to version control. Keep your OpenCTI credentials secure and ensure the MCP configuration is protected. Your MCP setup should include appropriate access controls and environment isolation.
The server exposes a set of functions you can call to interact with threat intelligence data. These include retrieving the latest reports, getting reports by ID, searching for malware, indicators, and threat actors, and listing or querying various STIX objects and system data.
If you need to refresh or update credentials, regenerate your OpenCTI API token and update the environment variables accordingly. Regularly review access to the MCP server and rotate keys as part of your security hygiene.
Retrieves the most recent threat intelligence reports.
Retrieves a specific report by its ID.
Searches for malware information in the OpenCTI database.
Searches for indicators of compromise.
Searches for threat actor information.
Retrieves user information by ID.
Lists all users in the system.
Lists all groups with their members.
Lists all attack patterns in the system.
Retrieves campaign information by name.
Lists all system connectors.
Lists all status templates.
Retrieves file information by ID.
Lists all files in the system.
Lists all marking definitions.
Lists all available labels.