Threat Intelligence Aggregation MCP Endpoint

This implementation serves as a Model Context Protocol (MCP) service designed to execute enrichment procedures based on an input observable entity. The orchestration of external lookups is dynamically determined by the confluence of configured third-party security modules and the received observable data.

This utility offers a straightforward MCP server framework for augmenting data using established industry platforms (e.g., VirusTotal, Shodan, Hybrid Analysis) by leveraging the underlying capabilities of the security-cli Python library for communication and intelligence gathering.

MCP Server Interface

This iteration of the threat-intelligence-aggregator-mcp MCP server exposes the following fundamental tool:

• resolve-entity - A generalized entry point that analyzes the incoming entity and forwards it to the most appropriate downstream lookup mechanism.

Supported Intelligence Sources

The following external services and the types of entities they process are currently integrated:

Suggestions for augmenting the list of supported sources are welcomed via issues or pull requests!

Source Name	API Credential Needed	IP Support	Domain Support	URL Support	Email Support
VirusTotal	Mandatory	Yes	Yes	Yes	No
HybridAnalysis	Mandatory	Yes	Yes	Yes	No
AlienVault	Mandatory	Yes	Yes	Yes	No
Shodan	Mandatory	Yes	Yes	Yes	No
Urlscan.io	Mandatory	Yes	Yes	Yes	No
AbuseIPDB	Mandatory	Yes	No	No	No
HaveIBeenPwned	Mandatory	No	No	No	Yes

Prerequisites

This MCP deployment relies on the security-cli package and a specific configuration manifest, config.yaml.example (provided), to map supported observable types to external enrichment vendors.

The recommended method for local execution on Unix-like systems is:

bash uv run --env-file .env server.py

This necessitates using the provided template .env.example to construct a necessary .env file containing secret access tokens.

Consult the documentation for security-cli for comprehensive details on configuring various platform integrations. The default configuration settings generally suffice for initial deployment.

Environment Variable Configuration

Security best practices dictate utilizing environment variables for managing sensitive credentials; refrain from hardcoding secrets.

For automatic detection by the security-cli package, environmental variables must adhere to a specific naming convention. The following variables correspond to the integrated services:

• ENRICHMENT_MCP_VIRUSTOTAL_KEY
• ENRICHMENT_MCP_HYBRIDANALYSIS_KEY
• ENRICHMENT_MCP_ALIENVAULT_KEY
• ENRICHMENT_MCP_SHODAN_KEY
• ENRICHMENT_MCP_URLSCAN_KEY
• ENRICHMENT_MCP_ABUSEIPDB_KEY
• ENRICHMENT_MCP_HIBP_KEY

Enrichment Workflow Definition

Each intelligence vendor is parameterized within the primary securiy-cli configuration file. Furthermore, the distinct categories of possible operations have been segmented. Currently, the system features a singular operative type named enrich, though future iterations may introduce operations like scans or queries.

Beneath these primary operational categories, the supported entity types are listed alongside the vendors capable of processing them. The presently functional entity types are:

• ipaddress - IPv4 representations
• domain - Hostnames or network locations
• url - Fully qualified web addresses, including scheme
• email - Standard electronic mail formats

Additionally, the following entity types are acknowledged but currently lack operational implementation:

• md5 - File checksum (MD5)
• sha1 - File checksum (SHA1)
• sha256 - File checksum (SHA256)

Every integrated vendor requires a name and a corresponding template definition. The apikey attribute is optional, as environment variables are the preferred authentication method.

Output Formatting Templates

Specific response templates exist for each vendor and entity type combination. These Jinja2 templates are stored within the security-cli templates subdirectory. Modification of these files is permitted, provided the specified file naming convention is strictly maintained.

The required file nomenclature follows this structure:

bash {service.name}.{enrichment.type}.jinja2

Failure to structure the output data correctly within the template will result in processing errors.

Presented below is an illustrative output payload for an enrichment request targeting the IP address 91.195.240.94, which includes examples of successful data retrieval and error reporting:

python { "virustotal": "error occurred looking up ip 91.195.240.94 in virustotal", "alienvault": "Service: alienvault\nIPAddress: \nReputation Score: 0\nTotal Votes: ", "shodan": "Service: shodan\nIPAddress: 91.195.240.94\nLast Analysis Results: 2025-04-25T21:02:52.644602\n\nTags\n\n\nAdditional information includes:\n\n Latitude: 48.13743\n Longitude: 11.57549\n ASN: AS47846\n Domains: [\"servervps.net\"]", "hybridanalysis": "error occurred looking up ip 91.195.240.94 in hybridanalysis", "urlscan": "Service: urlscan\nResult: https://urlscan.io/api/v1/result/01966efe-c8fa-74a4-bfc0-1ed479838e85/\n\nStats\n\n uniqIPs - 6\n\n uniqCountries - 2\n\n dataLength - 432561\n\n encodedDataLength - 218606\n\n requests - 14\n\n\nPage\n country - DE\n server - Parking/1.0\n ip - 91.195.240.94\n mimeType - text/html\n title - wearab.org\xa0-\xa0Informationen zum Thema wearab.\n url - https://login.wearab.org/\n tlsValidDays - 364\n tlsAgeDays - 0\n tlsValidFrom - 2025-04-25T00:00:00.000Z\n domain - login.wearab.org\n apexDomain - wearab.org\n asnname - SEDO-AS SEDO GmbH, DE\n asn - AS47846\n tlsIssuer - Encryption Everywhere DV TLS CA - G2\n status - 200\n", "abuseipdb": "Service: abuseripdb\nIPAddress: 91.195.240.94\nLast Analysis Result: 2025-03-30T14:04:45+00:00\nScore: 7\nUsage: Data Center/Web Hosting/Transit\nIs Tor: False\nIs Whitelisted: False\nISP: Sedo Domain Parking" }

MCP Server Deployment Instructions

Refer to the official documentation for utilizing a pre-compiled server instance: https://modelcontextprotocol.io/quickstart/user

1. Secure the Claude Desktop application.

2. Install the uv dependency manager: bash curl -LsSf https://astral.sh/uv/install.sh | sh

3. Obtain this repository and integrate its location into the Claude Desktop configuration:

   • Access Claude for Desktop Settings > Developer > Edit Configuration

The provided .desktop_config.example.json file can be used as a template.

Alternatively, manual configuration involves editing the respective paths for Claude Desktop:

bash macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

Replace the entire file content with the following structure, ensuring absolute paths are substituted correctly:

{ "mcpServers": { "enrichment-mcp": { "command": "/ABSOLUTE/PATH/TO/PARENT/FOLDER/uv", "args": [ "--directory", "/ABSOLUTE/PATH/TO/CLONED/REPOSITORY/enrichment-mcp", "run", "server.py" ] } } }

1. Restart Claude Desktop.

Upon successful launch, two indicator icons will appear in the chat interface: a wrench icon indicating tool availability, and a connection icon showing the defined prompt structure and required inputs.

Contributions & Development

We welcome contributions from the community! Feel free to submit proposed changes via pull requests.

WIKIPEDIA: XMLHttpRequest (XHR) represents an API encapsulated within a JavaScript object, granting methods to dispatch HTTP requests from a web browser environment to a designated server. These methods facilitate communication between a browser-based application and the server after the initial page load, allowing for asynchronous data retrieval. XMLHttpRequest is a foundational element of Ajax programming paradigms. Preceding Ajax, the primary means of server interaction involved standard hyperlink navigation and form submissions, actions that typically necessitated a full page refresh.