Overview
OpenCTI MCP Server is an MCP server designed to integrate with the OpenCTI platform, exposing a standardized Model Context Protocol interface for querying and retrieving threat intelligence data. The server consolidates access to OpenCTI data such as reports, malware, indicators of compromise, threat actors, and related STIX objects into a single MCP endpoint. It supports a broad set of operations including fetching the latest reports, searching malware, indicators, and threat actors, as well as user and group management. The STIX object operations include listing attack patterns and retrieving campaigns by name, while system management covers listing connectors and viewing status templates. File operations enable listing all files and getting file details by ID, and reference data access provides marking definitions and available labels. The server offers customizable query limits and full GraphQL query support to enable flexible, precise data retrieval. Prerequisites include Node.js 16 or higher, access to an OpenCTI instance, and a valid API token. Installation can be performed via Smithery or manual setup, with environment variables wired to OpenCTI credentials and a sample MCP configuration.
Features
Fetch and search threat intelligence data
Supports retrieving latest reports, searching by ID, malware information, indicators of compromise, and threat actors.
User and group management
Manage users and groups: list all users/groups and get user details by ID.
STIX object operations
Operate on STIX objects such as listing attack patterns and retrieving campaigns by name.
System management
Manage system components: list connectors and view status templates.
File operations
Handle files: list all files and get file details by ID.
Reference data access
Access reference data: list marking definitions and view available labels.
Customizable query limits
Configure limits to tailor how many results are returned per request.
Full GraphQL query support
Supports full GraphQL queries for flexible data retrieval.
