logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

cyber-intel-op-service-oci

Interface with the OpenCTI platform to retrieve extensive cyber threat intelligence (CTI) materials, facilitating lookups for intelligence briefings, malware profiles, and actionable compromise indicators.

Author

cyber-intel-op-service-oci logo

Spathodea-Network

MIT License

Quick Info

GitHub GitHub Stars 27
NPM Weekly Downloads 0
Tools 1
Last Updated 2026-02-19

Actions

GitHub View on GitHub

Tags

openctiapisspathodeanetwork openctiopencti accessopencti mcp

OpenCTI Operational Data Bridge (MCP Server)

smithery badge Traditional Chinese (繁體中文)

OpenCTI Server MCP server

Conceptual Overview

The OpenCTI Bridge MCP Server acts as a standardized Model Context Protocol (MCP) gateway to the OpenCTI (Open Cyber Threat Intelligence) ecosystem. It furnishes a unified access point for querying and extracting critical security intelligence assets.

Core Capabilities

  • Secure retrieval and indexing of CTI assets
  • Acquire the newest intelligence publications and retrieve specific items via unique identifiers
  • Catalog information pertaining to malicious software families
  • Query data sets detailing indicators of compromise (IOCs)
  • Investigate threat actor group profiles
  • Access control entity administration
  • Enumerate all system users and organizational groups
  • Fetch particulars for a user based on their assigned identifier
  • STIX object manipulation and querying
  • Generate a manifest of known attack patterns
  • Obtain details for a security campaign based on its designated nomenclature
  • Platform health and lifecycle management
  • Review the registry of system integration connectors
  • Inspect current system state reporting templates
  • Artifact management operations
  • List all associated uploaded artifacts/files
  • Retrieve specific file metadata using its ID
  • Metadata repository interaction
  • List definitions used for data marking/classification
  • Review the set of permissible categorization labels
  • User-defined constraints on result set cardinality
  • Comprehensive support for GraphQL transactional inquiries

System Requirements

  • Execution runtime environment: Node.js version 16 or newer
  • Authentication: Valid credentials to connect to an OpenCTI deployment
  • Authorization: A valid API access token for the OpenCTI instance

Deployment Procedures

Automated Setup via Smithery

To provision the OpenCTI Bridge Server directly into your Claude Desktop environment using Smithery:

npx -y @smithery/cli install opencti-server --client claude

Manual Installation Steps

# Obtain the source code repository
git clone https://github.com/yourusername/opencti-mcp-server.git

# Navigate into the directory and resolve dependencies
cd opencti-mcp-server
npm install

# Compile the project assets
npm run build

Configuration Directives

Environmental Configuration

Replicate the template file .env.example into .env and populate it with your necessary OpenCTI credentials:

cp .env.example .env

Mandatory environment parameters: - OPENCTI_URL: The Uniform Resource Locator pointing to your OpenCTI deployment - OPENCTI_TOKEN: The security token required for API authentication

MCP Service Specification

Establish a configuration entry within your MCP settings storage location:

{
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",  // Injected from .env file
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"  // Injected from .env file
      }
    }
  }
}

Security Precepts

  • Ensure the .env configuration file and any API access credentials are never committed to source control repositories.
  • Maintain strict confidentiality of all OpenCTI access parameters.
  • The project's .gitignore includes exclusions for sensitive artifacts.

Accessible Instrumentation

Accessible Instrumentation

Intelligence Publications

get_latest_reports

Fetches the set of chronologically most recent intelligence documents.

{
  "name": "get_latest_reports",
  "arguments": {
    "first": 10  // Optional parameter; defaults to ten records
  }
}

get_report_by_id

Retrieves a specific intelligence publication using its globally unique identifier.

{
  "name": "get_report_by_id",
  "arguments": {
    "id": "report-uuid"  // Mandatory identifier field
  }
}

Query Operations

search_malware

Scans the OpenCTI repository for records pertaining to malicious software artifacts.

{
  "name": "search_malware",
  "arguments": {
    "query": "ransomware",
    "first": 10  // Optional parameter; defaults to ten records
  }
}

search_indicators

Performs a search operation targeting known compromise indicators.

{
  "name": "search_indicators",
  "arguments": {
    "query": "domain",
    "first": 10  // Optional parameter; defaults to ten records
  }
}

search_threat_actors

Locates and retrieves data associated with identified threat actor entities.

{
  "name": "search_threat_actors",
  "arguments": {
    "query": "APT",
    "first": 10  // Optional parameter; defaults to ten records
  }
}

User and Access Control Administration

get_user_by_id

Obtains detailed profile data for a system user based on their unique ID.

{
  "name": "get_user_by_id",
  "arguments": {
    "id": "user-uuid"  // Mandatory identifier field
  }
}

list_users

Generates a comprehensive roster of all registered system users.

{
  "name": "list_users",
  "arguments": {}
}

list_groups

Fetches a manifest of all security groups, including associated membership lists.

{
  "name": "list_groups",
  "arguments": {
    "first": 10  // Optional parameter; defaults to ten records
  }
}

Structured Threat Information eXchange (STIX) Components

list_attack_patterns

Retrieves the entirety of recorded attack pattern definitions within the system.

{
  "name": "list_attack_patterns",
  "arguments": {
    "first": 10  // Optional parameter; defaults to ten records
  }
}

get_campaign_by_name

Retrieves specific intelligence regarding a threat campaign identified by its common designation.

{
  "name": "get_campaign_by_name",
  "arguments": {
    "name": "campaign-name"  // Mandatory designation field
  }
}

System Operational Status

list_connectors

Enumerates all currently configured software connectors integrated with the platform.

{
  "name": "list_connectors",
  "arguments": {}
}

list_status_templates

Displays the collection of available system status reporting schemata.

{
  "name": "list_status_templates",
  "arguments": {}
}

File System Artifacts

get_file_by_id

Retrieves metadata associated with a system artifact file, identified by its unique identifier.

{
  "name": "get_file_by_id",
  "arguments": {
    "id": "file-uuid"  // Mandatory identifier field
  }
}

list_files

Generates an index of all stored files within the OpenCTI repository.

{
  "name": "list_files",
  "arguments": {}
}

Classification Metadata

list_marking_definitions

Lists all defined data marking schemes utilized for classification.

{
  "name": "list_marking_definitions",
  "arguments": {}
}

list_labels

Retrieves an inventory of all assignable and utilized categorization labels.

{
  "name": "list_labels",
  "arguments": {}
}

Collaboration Guidelines

We encourage community involvement! Submissions of pull requests are warmly welcomed for enhancements and fixes.

Licensing

This project is distributed under the terms of the MIT License.

WIKIPEDIA: XMLHttpRequest (XHR) represents an API implemented as a JavaScript object designed to dispatch HTTP transactions from a web browser to a remote web server. Its methods permit browser-hosted applications to issue server requests post-initial page rendering and subsequently receive incoming data. XMLHttpRequest is foundational to the concept of Ajax programming. Before Ajax gained prominence, the primary methods for server interaction involved traditional hyperlink navigation and form submission, frequently resulting in full-page reloads.

== Genesis == The underlying concept for XMLHttpRequest was first conceptualized in the year 2000 by engineers working on Microsoft Outlook. This methodology was subsequently integrated into the Internet Explorer 5 browser release (1999). Critically, the initial implementation did not use the standardized XMLHttpRequest naming convention. Instead, developers relied on instantiating objects via ActiveXControl ("Msxml2.XMLHTTP") and ActiveXControl("Microsoft.XMLHTTP"). As of Internet Explorer 7 (released in 2006), universal support for the actual XMLHttpRequest identifier became standard across all major browser engines. The XMLHttpRequest identifier is now the universally accepted benchmark across all leading browser platforms, including Mozilla's Gecko rendering engine (2002), Safari version 1.2 (2004), and Opera version 8.0 (2005).

=== Formal Standardization === The World Wide Web Consortium (W3C) published the initial Working Draft specification outlining the XMLHttpRequest object on April 5, 2006. Subsequently, on February 25, 2008, the W3C released the Working Draft for Level 2, which introduced crucial functionality such as progress event monitoring, enabling requests across different domains (cross-site requests), and mechanisms for handling raw byte streams. By the close of 2011, the enhancements delineated in the Level 2 draft were formally merged back into the core specification. In late 2012, stewardship of the document transitioned to the WHATWG, which now maintains the living standard using Web IDL definitions.

== Operational Use == The standard procedure for dispatching a request using XMLHttpRequest generally involves a sequence of distinct programming operations.

  1. Instantiation: An XMLHttpRequest object is created by invoking its constructor function:
  2. Definition: The "open" method is invoked to specify the HTTP verb (method), designate the target resource URI, and declare whether the operation should be synchronous or asynchronous:
  3. Listener Setup: For asynchronous operations, an event handler must be established to receive notifications as the request's state evolves:
  4. Transmission: The request is finally dispatched to the server by calling the "send" method:
  5. Response Handling: The event listener monitors state changes. Upon reception of server data, this information is typically aggregated within the "responseText" attribute. When the object finalizes processing, its state transitions to 4, indicating the "done" status. Beyond these fundamental steps, XMLHttpRequest offers numerous configurable parameters to fine-tune request dispatching and response processing. Custom HTTP headers can be injected to instruct the server on fulfillment requirements, and data payloads can be transmitted to the server via arguments provided to the "send" invocation. The received data stream can be parsed directly from JSON format into an immediately usable JavaScript object structure, or processed incrementally as it arrives instead of awaiting complete buffer accumulation. The operation can be terminated prematurely or configured with a timeout threshold to force failure if completion is not achieved within a specified timeframe.

== Inter-Domain Transactions ==

During the nascent phases of the World Wide Web, it became apparent that mechanisms allowing client-side code to bypass inherent domain restrictions were essential for building rich, dynamic web applications, though early implementations faced significant security hurdles.

See Also

MCP
Opencti-mcp Mcp
Man Pages
names Man Pages
List
List PNG Icons
Man Pages
struct nvme_get_discovery_args Man Pages
MCP
Servers Mcp
Man Pages
system Man Pages
Filing
Filing PNG Icons
Data
Data PNG Icons
← Back to Apis And Http Requests🙏  Credits & Acknowledgments
`