- Home
- MCP servers
- Cortex
Cortex
- rust
13
GitHub Stars
rust
Language
6 months ago
First Indexed
2 months ago
Catalog Refreshed
Documentation & install
Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.
Installation
Add the following to your MCP client configuration file.
Configuration
View docs{
"mcpServers": {
"gbrigandi-mcp-server-cortex": {
"command": "/opt/mcp-servers/mcp-server-cortex",
"args": [],
"env": {
"CORTEX_API_KEY": "your_cortex_api_key_here",
"CORTEX_ENDPOINT": "http://your-cortex-instance:9000/api"
}
}
}
}You expose Cortex’s observable analysis capabilities as MCP-compatible tools so large language models and other MCP clients can request threat intelligence analyses from a centralized Cortex instance. This bridge lets you enrich observables through a secure, scalable MCP service while keeping Cortex configurations centralized and controllable.
How to use
You interact with the MCP Cortex server by configuring an MCP client to launch or connect to the server, and by using the four available analysis tools to enrich observables. Each tool routes your request to Cortex through the MCP layer, which returns a structured job report when the analysis completes.
Key usage patterns you can follow:
- Enrich an IP by running an abuse IP reputation check
- Analyze a domain, URL, or email with AbuseFinder to gather intelligence and context
- Scan a URL with VirusTotal for malware signals
- Analyze a URL with a Urlscan.io-based method for additional URL reputation data
How to install
Prerequisites you need before installation:
-
A Rust toolchain installed on your system.
-
A running Cortex instance accessible from the MCP server host, with an API key that can list analyzers and run jobs.
-
Specific Cortex analyzers enabled and configured in Cortex (for example AbuseIPDB_1_0, Abuse_Finder_3_0, VirusTotal_Scan_3_1, Urlscan_io_Scan_0_1_0). Each analyzer should have its necessary API keys configured in Cortex.
Step by step install flow when pulling a pre-built binary is recommended for most setups.
-
Download the latest pre-compiled binary for your OS from the releases page. For Linux, macOS, or Windows, choose the appropriate binary such as mcp-server-cortex-linux-amd64, mcp-server-cortex-macos-amd64, or mcp-server-cortex-windows-amd64.exe.
-
Move the binary to a suitable location on your system. For example, on Linux/macOS you might place it in /usr/local/bin. On Windows, you could place it under a dedicated folder like C:\Program Files\MCP Servers.
-
Make the binary executable on Unix-like systems.
chmod +x /path/to/your/mcp-server-cortex
# Ensure the directory is in your PATH for easy execution
export PATH="$PATH:/path/to/your"
# Or add the binary directory to PATH in your shell profile
Additional configuration and startup notes
The server is configured via environment variables. You provide the Cortex API endpoint and the API key to authorize requests. You can also enable verbose logging to help diagnose issues.
Example environment setup for running the server with Cortex access.
CORTEX_ENDPOINT=http://your-cortex-instance:9000/api
CORTEX_API_KEY=your_cortex_api_key_here
RUST_LOG=info
./mcp-server-cortex
Starting via Claude Desktop style configuration
If you are configuring an MCP client like Claude Desktop, point the client at the local server executable and pass the necessary environment variables so the server can reach Cortex.
{
"mcpServers": {
"cortex": {
"command": "/opt/mcp-servers/mcp-server-cortex",
"args": [],
"env": {
"CORTEX_ENDPOINT": "http://your-cortex-instance:9000/api",
"CORTEX_API_KEY": "your_cortex_api_key_here"
}
}
}
}
Available tools
analyze_ip_with_abuseipdb
Analyzes an IP address using a Cortex-based AbuseIPDB-like analyzer and returns the job report when complete.
analyze_with_abusefinder
Analyzes data such as IPs, domains, URLs, or emails using a Cortex AbuseFinder analyzer and returns the job report.
scan_url_with_virustotal
Analyzes a URL using a VirusTotal-based analyzer via Cortex and returns the resulting job report.
analyze_url_with_urlscan_io
Analyzes a URL using a Urlscan.io analyzer via Cortex and returns the resulting job report.