Cortex MCP Server

Cortex MCP Server

Cortex MCP Server

Category
访问服务器

README

MCP Server for Cortex

Claude Cortex Session

This server acts as a bridge, exposing the powerful analysis capabilities of a Cortex instance as tools consumable by Model Context Protocol (MCP) clients, such as large language models like Claude. It allows these clients to leverage Cortex analyzers for threat intelligence tasks.

What is Cortex?

Cortex is a powerful, free, and open-source observable analysis and active response engine. It allows you to analyze observables (like IPs, URLs, domains, files, etc.) using a variety of "analyzers" – modular pieces of code that connect to external services or perform local analysis.

Benefits of using Cortex (and this MCP server):

  • Centralized Analysis: Run various analyses from a single point.
  • Extensibility: Easily add new analyzers for different threat intelligence feeds and tools.
  • Automation: Automate the process of enriching observables.
  • Integration: Designed to work closely with TheHive, a Security Incident Response Platform (SIRP), but can also be used standalone.
  • Security: API-key based access to protect your Cortex instance.

This MCP server makes these benefits accessible to MCP-compatible clients, enabling them to request analyses and receive structured results.

Prerequisites

  1. Rust Toolchain: Ensure you have Rust installed (visit rustup.rs).
  2. Cortex Instance: A running Cortex instance is required.
    • The server needs network access to this Cortex instance.
    • An API key for Cortex with permissions to list analyzers and run jobs.
  3. Configured Analyzers: The specific analyzers you intend to use (e.g., AbuseIPDB_1_0, Abuse_Finder_3_0, VirusTotal_Scan_3_1) must be enabled and correctly configured within your Cortex instance.

Installation

The recommended way to install the MCP Server for Cortex is to download a pre-compiled binary for your operating system.

  1. Go to the Releases Page: Navigate to the GitHub Releases page.

  2. Download the Binary: Find the latest release and download the appropriate binary for your operating system (e.g., mcp-server-cortex-linux-amd64, mcp-server-cortex-macos-amd64, mcp-server-cortex-windows-amd64.exe).

  3. Place and Prepare the Binary:

    • Move the downloaded binary to a suitable location on your system (e.g., /usr/local/bin on Linux/macOS, or a dedicated folder like C:\Program Files\MCP Servers\ on Windows).
    • For Linux/macOS: Make the binary executable:
      chmod +x /path/to/your/mcp-server-cortex
    • Ensure the directory containing the binary is in your system's PATH if you want to run it without specifying the full path.

Alternatively, you can build the server from source (see the Building section below).

Configuration

The server is configured using the following environment variables:

  • CORTEX_ENDPOINT: The full URL to your Cortex API.
    • Example: http://localhost:9000/api
  • CORTEX_API_KEY: Your API key for authenticating with the Cortex instance.
  • RUST_LOG (Optional): Controls the logging level for the server.
    • Example: info (for general information)
    • Example: mcp_server_cortex=debug,cortex_client=info (for detailed server logs and info from the cortex client library)

Cortex Analyzer Configuration

For the tools provided by this MCP server to function correctly, the corresponding analyzers must be enabled and properly configured within your Cortex instance. The server relies on these Cortex analyzers to perform the actual analysis tasks.

The tools currently use the following analyzers by default (though these can often be overridden via tool parameters):

  • analyze_ip_with_abuseipdb: Uses an analyzer like AbuseIPDB_1_0.
    • This analyzer typically requires an API key from AbuseIPDB. Ensure this is configured in Cortex.
  • analyze_with_abusefinder: Uses an analyzer like Abuse_Finder_3_0.
    • AbuseFinder might have its own configuration requirements or dependencies within Cortex.
  • scan_url_with_virustotal: Uses an analyzer like VirusTotal_Scan_3_1.
    • This analyzer requires a VirusTotal API key. Ensure this is configured in Cortex.

Key Points:

  • Enable Analyzers: Make sure the analyzers you intend to use are enabled in your Cortex instance's "Organization" -> "Analyzers" section.
  • Configure Analyzers: Each analyzer will have its own configuration page within Cortex where you'll need to input API keys, set thresholds, or define other operational parameters. Refer to the documentation for each specific Cortex analyzer.
  • Test in Cortex: It's a good practice to test the analyzers directly within the Cortex UI first to ensure they are working as expected before trying to use them via this MCP server.

If an analyzer is not configured, not enabled, or misconfigured (e.g., invalid API key), the corresponding tool call from the MCP client will likely fail or return an error from Cortex.

Example: Claude Desktop Configuration

For MCP clients like Claude Desktop, you typically configure them by specifying the command to launch the MCP server and any necessary environment variables for that server.

  1. Build or Download the Server Binary: Ensure you have the mcp-server-cortex executable. If you've built it from source, it will be in target/debug/mcp_server_cortex or target/release/mcp_server_cortex.

  2. Configure Your LLM Client (e.g., Claude Desktop):

    • The method for configuring your LLM client will vary depending on the client itself.

    • For clients that support MCP, you will typically need to point the client to the path of the mcp-server-cortex executable.

    • Example for Claude Desktop claude_desktop_config.json: You would modify your Claude Desktop configuration file (usually claude_desktop_config.json) to include an entry for this server.

      For instance, if your mcp-server-cortex binary is located at /opt/mcp-servers/mcp-server-cortex, your configuration might look like this:

      {
  "mcpServers": {
    // ... other server configurations ...
    "cortex": {
      "command": "/opt/mcp-servers/mcp-server-cortex",
      "args": [],
      "env": {
        "CORTEX_ENDPOINT": "http://your-cortex-instance:9000/api",
        "CORTEX_API_KEY": "your_cortex_api_key_here",
      }
    }
    // ... other server configurations ...
  }
}

Available Tools

The server provides the following tools, which can be called by an MCP client:

  1. analyze_ip_with_abuseipdb

    • Description: Analyzes an IP address using an AbuseIPDB analyzer (or a similarly configured IP reputation analyzer) via Cortex. Returns the job report if successful.
    • Parameters:
      • ip (string, required): The IP address to analyze.
      • analyzer_name (string, optional): The specific name of the AbuseIPDB analyzer instance in Cortex. Defaults to AbuseIPDB_1_0.

  2. analyze_with_abusefinder

    • Description: Analyzes various types of data (IP, domain, FQDN, URL, or email) using an AbuseFinder analyzer via Cortex. Returns the job report if successful.
    • Parameters:
      • data (string, required): The data to analyze (e.g., "1.1.1.1", "example.com", "http://evil.com/malware", "test@example.com").
      • data_type (string, required): The type of the data. Must be one of: ip, domain, fqdn, url, mail.
      • analyzer_name (string, optional): The specific name of the AbuseFinder analyzer instance in Cortex. Defaults to Abuse_Finder_3_0.

  3. scan_url_with_virustotal

    • Description: Scans a URL using a VirusTotal_Scan analyzer (e.g., VirusTotal_Scan_3_1) via Cortex. Returns the job report if successful.
    • Parameters:
      • url (string, required): The URL to scan.
      • analyzer_name (string, optional): The specific name of the VirusTotal_Scan analyzer instance in Cortex. Defaults to VirusTotal_Scan_3_1.

Building

To build the server from source, ensure you have the Rust toolchain installed (as mentioned in the "Prerequisites" section).

  1. Clone the repository (if you haven't already):

    git clone https://github.com/gbrigandi/mcp-server-cortex.git
cd mcp-server-cortex

    If you are already working within a cloned repository and are in its root directory, you can skip this step.

  2. Build the project using Cargo:

    • For a debug build:
      cargo build
      The executable will be located at target/debug/mcp-server-cortex.
    • For a release build (recommended for performance and actual use):
      cargo build --release
      The executable will be located at target/release/mcp-server-cortex.

After building, you can run the server executable. Refer to the "Configuration" section for required environment variables and the "Example: Claude Desktop Configuration" for how an MCP client might launch the server.

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选