Overview

OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with the OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.

Features

• Fetch and search threat intelligence data
  • Get latest reports and search by ID
  • Search for malware information
  • Query indicators of compromise
  • Search for threat actors
• User and group management
  • List all users and groups
  • Get user details by ID
• STIX object operations
  • List attack patterns
  • Get campaign information by name
• System management
  • List connectors
  • View status templates
• File operations
  • List all files
  • Get file details by ID
• Reference data access
  • List marking definitions
  • View available labels
• Customizable query limits
• Full GraphQL query support

Available Tools

Reports

get_latest_reports

Retrieves the most recent threat intelligence reports.

get_report_by_id

Retrieves a specific report by its ID.

Search Operations

search_malware

Searches for malware information in the OpenCTI database.

search_indicators

Searches for indicators of compromise.

search_threat_actors

Searches for threat actor information.

User Management

get_user_by_id

Retrieves user information by ID.

list_users

Lists all users in the system.

list_groups

Lists all groups with their members.

STIX Objects

list_attack_patterns

Lists all attack patterns in the system.

get_campaign_by_name

Retrieves campaign information by name.

System Management

list_connectors

Lists all system connectors.

list_status_templates

Lists all status templates.

File Operations

get_file_by_id

Retrieves file information by ID.

list_files

Lists all files in the system.

Reference Data

list_marking_definitions

Lists all marking definitions.

list_labels

Lists all available labels.