GitHub Stars
27
User Rating
Not Rated
Favorites
0
Views
2
Forks
3
Issues
0
otx-cti MCP Server
An MCP (Model Context Protocol) server for accessing AlienVault Open Threat Exchange (OTX) threat intelligence directly in Claude.
Overview
This server connects to AlienVault's OTX DirectConnect API, allowing the Claude for desktop client to search, retrieve, and analyse cyber threat intelligence data. Use this tool to interact with the OTX API using natural language prompting via Claude. By installing this MCP server, you get access to the most recent threat data, including:
- Threat intelligence pulses
- Indicators of compromise (IOCs)
- Malicious IP addresses, domains, and URLs
- Malware file hashes
- Threat actor information
Features
- Real-time Threat Intelligence: Access the latest threat data from AlienVault OTX's global community
- Comprehensive IOC Analysis: Check if IPs, domains, URLs, or file hashes are known to be malicious
- Threat Actor Profiling: Retrieve information about known threat actors and their activities
- Cached Results: Optimised performance with local caching of API responses
- Asynchronous API: Built with modern async Python for efficient handling of API requests
Tools Provided
| Tool Name | Description |
|---|---|
search_pulses |
Search for threat intelligence pulses in OTX |
get_recent_pulses |
Get recent threat intelligence pulses |
get_pulse_details |
Get detailed information about a specific pulse |
get_pulse_indicators |
Get indicators of compromise (IOCs) from a specific pulse |
get_indicator_details |
Get detailed information about a specific indicator |
check_indicator_malicious |
Check if an indicator is known to be malicious |
get_threat_actor |
Get information about a specific threat actor |
Installation
Prerequisites
- Python 3.8 or higher
- An AlienVault OTX account and API key (Sign up here)
uvpackage manager (recommended) orpip
Set Up Using UV (Recommended)
Clone this repository:
git clone https://github.com/your-username/otx-mcp-server.git cd otx-mcp-serverCreate a Python environment and install dependencies:
uv venv source .venv/bin/activate # On Windows: .venv\Scripts\activate uv pip install -e
Set Up Using Pip
Clone this repository:
git clone https://github.com/your-username/otx-mcp-server.git cd otx-mcp-serverCreate a Python environment and install dependencies:
python -m venv .venv source .venv/bin/activate # On Windows: .venv\Scripts\activate pip install -e
Quick install with Claude Desktop
Add the following to your Claude Desktop configuration (claude_desktop_config.json):
"mcpServers": {
"otx": {
"command": "uv",
"args": [
"--directory",
"/path/to/otx-mcp-server",
"run",
"otx"
],
"env": {
"OTX_API_KEY": "YOUR_API_KEY_HERE"
}
}
}
}
The configuration file is typically located at:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json
Sample Prompts
Here are some example prompts to use with the OTX MCP server:
- "Search for recent threat intelligence related to ransomware attacks on healthcare organisations."
- "Check if the IP address xxx.xx.xx.xx is associated with any known threats."
- "Get information about the Golden Chickens/Venom Spider threat actor and their recent activities."
- "Search OTX for specific industry-related threat intelligence. I am looking for threats targeting Financial Services organisations"
- "Find indicators of compromise related to the CWE-94 vulnerability."
- "Check if the domain malicious-example.com is known to be malicious."
- "Get the latest threat intelligence pulses from the past 3 days."
Resource Types
The server provides access to several resource types:
- Pulses: otx://pulse/{pulse_id}
- Indicators: otx://indicator/{indicator_type}/{indicator_value}
- Threat Actors: otx://actor/{actor_name}
These resources can be referenced and accessed throughout your conversation with Claude.
Security Considerations
This tool is designed for legitimate security research and defence purposes. Always:
- Use responsibly and follow applicable laws and regulations
- Maintain proper authorisation for any security testing
- Handle threat intelligence data with appropriate operational security controls (OPSEC)