enrichment

This Enrichment MCP server exposes a lookup-observable tool that routes a provided observable to a set of third-party enrichment services. The server uses the security-cli package to perform enrichment against services such as VirusTotal, Hybrid Analysis, AlienVault, Shodan, Urlscan.io, AbuseIPDB, and HaveIBeenPwned. When you supply an observable (e.g., an IP address, domain, URL, or email), the server determines which configured enrichment services can handle that observable type and executes the enrichment workflow accordingly. The response aggregates results from the configured services, returning a structured object keyed by service name with the enrichment results or errors as appropriate.

Prerequisites:\n- Python 3.8+ (or a compatible Python runtime)\n- uv installed (the uv runtime)\n- Access to a configured environment for the needed API keys (VirusTotal, Hybrid Analysis, AlienVault, Shodan, Urlscan.io, AbuseIPDB, HaveIBeenPwned)\n\nInstall steps:\n1) Clone the repository and navigate into it:\n\nbash\ngit clone https://github.com/MSAdministrator/enrichment-mcp.git\ncd enrichment-mcp\n\n2) Install uv if you haven't already (examples from the quickstart):\n\nbash\ncurl -LsSf https://astral.sh/uv/install.sh | sh\n\n3) Create a project environment file (.env) or set environment variables for API keys (see the README for the listed keys). Example (not committed):\n\nbash\nexport ENRICHMENT_MCP_VIRUSTOTAL_KEY=your-virustotal-key\nexport ENRICHMENT_MCP_HYBRIDANALYSIS_KEY=your-hybrid-analysis-key\nexport ENRICHMENT_MCP_ALIENVAULT_KEY=your-alienvault-key\nexport ENRICHMENT_MCP_SHODAN_KEY=your-shodan-key\nexport ENRICHMENT_MCP_URLSCAN_KEY=your-urlscan-key\nexport ENRICHMENT_MCP_ABUSEIPDB_KEY=your-abuseipdb-key\nexport ENRICHMENT_MCP_HIBP_KEY=your-hibp-key\n\n4) Run the server using the provided command setup in mcp_config (see next section for details).

Environment variable secrets: It is highly recommended to store API keys as environment variables rather than hard-coding them. The security-cli templates expect keys to be available in the environment, typically referenced by the template or the underlying library. If you modify the config.yaml.example, keep the file in config.yaml.example within the repository and ensure that your environment variables are loaded when starting the server. The enrichment capabilities depend on the presence of those keys and the corresponding templates in the security-cli package. If a service is not returning data, check that the key is valid and that the service supports the observable type in use. The README mentions a config.yaml.example and templates directory which drive what is called and how results are formatted.