mcp-threatintel
io.github.aplaceforallmystuff/mcp-threatintel
Unified threat intel - OTX, AbuseIPDB, GreyNoise, abuse.ch, Feodo Tracker
Documentation
mcp-threatintel
MCP server providing unified access to multiple threat intelligence sources for security research and analysis.
Features
- Unified lookups - Query IP addresses, domains, file hashes, and URLs across multiple sources simultaneously
- AlienVault OTX - Access Open Threat Exchange pulses and indicators
- AbuseIPDB - IP reputation and abuse reports
- GreyNoise - Internet scanner and noise identification
- abuse.ch feeds - URLhaus, MalwareBazaar, ThreatFox, and Feodo Tracker
Installation
npm install -g mcp-threatintel-server
Configuration
Add to your Claude Desktop or Claude Code MCP settings:
{
"mcpServers": {
"threatintel": {
"command": "mcp-threatintel",
"env": {
"OTX_API_KEY": "your-otx-api-key",
"ABUSEIPDB_API_KEY": "your-abuseipdb-api-key",
"GREYNOISE_API_KEY": "your-greynoise-api-key",
"ABUSECH_AUTH_KEY": "your-abusech-auth-key"
}
}
}
}
API Keys
| Service | Required | Free Tier | Get Key |
|---|---|---|---|
| AlienVault OTX | Optional | Yes (unlimited) | otx.alienvault.com |
| AbuseIPDB | Optional | Yes (1,000/day) | abuseipdb.com |
| GreyNoise | Optional | Yes (limited) | greynoise.io |
| abuse.ch | Optional | Yes | auth.abuse.ch |
| Feodo Tracker | No | Yes | Public JSON feeds |
Note: Most tools are dynamically enabled based on which API keys you provide. Feodo Tracker works without authentication (public JSON feeds). As of late 2024, abuse.ch APIs (URLhaus, MalwareBazaar, ThreatFox) require authentication.
Tools
Status
| Tool | Description |
|---|---|
threatintel_status | Check which threat intelligence sources are configured |
Unified Lookups
| Tool | Description |
|---|---|
threatintel_lookup_ip | Look up IP across all configured sources |
threatintel_lookup_domain | Look up domain across all configured sources |
threatintel_lookup_hash | Look up file hash (MD5/SHA1/SHA256) across sources |
threatintel_lookup_url | Look up URL across sources |
AbuseIPDB (requires API key)
| Tool | Description |
|---|---|
abuseipdb_check | Check IP reputation and abuse history |
AlienVault OTX (requires API key)
| Tool | Description |
|---|---|
otx_get_pulses | Get recent threat intelligence pulses |
otx_search_pulses | Search pulses by keyword |
GreyNoise (requires API key)
| Tool | Description |
|---|---|
greynoise_ip | Check if IP is internet noise or targeted threat |
URLhaus (requires abuse.ch auth key)
| Tool | Description |
|---|---|
urlhaus_lookup | Look up URL, domain, or IP in URLhaus |
urlhaus_recent | Get recent malware URLs |
MalwareBazaar (requires abuse.ch auth key)
| Tool | Description |
|---|---|
malwarebazaar_hash | Look up malware sample by hash |
malwarebazaar_recent | Get recent malware samples |
malwarebazaar_tag | Search samples by tag |
ThreatFox (requires abuse.ch auth key)
| Tool | Description |
|---|---|
threatfox_iocs | Get recent IOCs from ThreatFox |
threatfox_search | Search ThreatFox IOCs |
Feodo Tracker (no key required)
| Tool | Description |
|---|---|
feodo_tracker | Get active botnet C2 servers (QakBot, Emotet, Dridex, etc.) |
Usage Examples
Check configured services
Use threatintel_status to see which services are available
Get active botnet C2 servers (works without any API keys)
Use feodo_tracker to get current botnet command & control servers
Check a suspicious IP (requires API keys for full results)
Use threatintel_lookup_ip to check 185.220.101.1
Look up a malware hash (requires abuse.ch auth key)
Use malwarebazaar_hash to look up 44d88612fea8a8f36de82e1278abb02f
Search for Emotet IOCs (requires abuse.ch auth key)
Use threatfox_search to find IOCs tagged "emotet"
Data Sources
AlienVault OTX
Open Threat Exchange - community-driven threat intelligence platform with pulses containing indicators of compromise.
AbuseIPDB
Crowdsourced IP reputation database with abuse reports from network administrators worldwide.
GreyNoise
Identifies IPs scanning the internet vs targeted attacks. Helps reduce false positives in threat detection.
abuse.ch Projects
- URLhaus - Malware distribution URLs
- MalwareBazaar - Malware sample repository
- ThreatFox - IOC sharing platform
- Feodo Tracker - Botnet C2 infrastructure tracking
License
MIT
Author
Jim Christian
Related Projects
For additional threat intelligence capabilities, consider:
- @burtthecoder/mcp-shodan - Shodan internet scanning
- @burtthecoder/mcp-virustotal - VirusTotal malware analysis
mcp-threatintel-servernpm install mcp-threatintel-server