misp-mcp

An MCP (Model Context Protocol) server for MISP (Malware Information Sharing Platform & Threat Intelligence Sharing). Enables LLMs to perform IOC lookups, manage events, discover correlations, and export threat intelligence directly from your MISP instance.

Features

18 MCP Tools - Full MISP API coverage: events, attributes, correlations, tags, exports, sightings, warninglists
3 MCP Resources - Browse attribute types, instance statistics, and available taxonomies
3 MCP Prompts - Guided workflows for IOC investigation, incident event creation, and threat reporting
SSL Flexibility - Handles self-signed certificates common in MISP deployments
Export Formats - CSV, STIX, Suricata, Snort, text, RPZ, and hash lists
Bulk Operations - Add multiple IOCs to events in a single call
Correlation Engine - Discover cross-event relationships through shared indicators

Prerequisites

Node.js 20 or later
A running MISP instance with API access
MISP API key (generated from MISP UI: Administration > List Auth Keys)

Installation

git clone https://github.com/solomonneas/misp-mcp.git
cd misp-mcp
npm install
npm run build

Configuration

Set the following environment variables:

export MISP_URL=https://misp.example.com
export MISP_API_KEY=your-api-key-here
export MISP_VERIFY_SSL=true  # Set to 'false' for self-signed certificates

Variable	Required	Default	Description
`MISP_URL`	Yes	-	MISP instance base URL
`MISP_API_KEY`	Yes	-	API authentication key
`MISP_VERIFY_SSL`	No	`true`	Set `false` for self-signed certs

Usage

Claude Desktop

Add to your Claude Desktop MCP config (claude_desktop_config.json):

{
  "mcpServers": {
    "misp": {
      "command": "node",
      "args": ["/path/to/misp-mcp/dist/index.js"],
      "env": {
        "MISP_URL": "https://misp.example.com",
        "MISP_API_KEY": "your-api-key-here",
        "MISP_VERIFY_SSL": "true"
      }
    }
  }
}

Standalone

MISP_URL=https://misp.example.com MISP_API_KEY=your-key node dist/index.js

Development

MISP_URL=https://misp.example.com MISP_API_KEY=your-key npm run dev

Tools Reference

Event Tools

Tool	Description
`misp_search_events`	Search events by IOC value, type, tags, date range, organization
`misp_get_event`	Get full event details including attributes, objects, galaxies, related events
`misp_create_event`	Create a new event with threat level, distribution, and analysis status
`misp_update_event`	Update event metadata (info, threat level, analysis, publish state)
`misp_publish_event`	Publish an event to trigger alerts to sharing partners
`misp_tag_event`	Add or remove tags (TLP, MITRE ATT&CK, custom) from an event

Attribute Tools

Tool	Description
`misp_search_attributes`	Search IOCs across all events with type, category, and correlation filters
`misp_add_attribute`	Add a single IOC to an event
`misp_add_attributes_bulk`	Add multiple IOCs to an event in one operation
`misp_delete_attribute`	Soft or hard delete an attribute

Correlation & Intelligence Tools

Tool	Description
`misp_correlate`	Find all events and attributes matching a value, with cross-event correlations
`misp_get_related_events`	Discover events related through shared IOCs
`misp_describe_types`	Get all available attribute types and category mappings

Tag & Taxonomy Tools

Tool	Description
`misp_list_tags`	List available tags with usage statistics
`misp_search_by_tag`	Find events or attributes by tag

Export Tools

Tool	Description
`misp_export_iocs`	Export IOCs in CSV, STIX, Suricata, Snort, text, or RPZ format
`misp_export_hashes`	Export file hashes (MD5, SHA1, SHA256) for HIDS integration

Sighting & Warninglist Tools

Tool	Description
`misp_add_sighting`	Report a sighting, false positive, or expiration for an IOC
`misp_check_warninglists`	Check if a value appears on known benign/false positive lists

Resources

Resource URI	Description
`misp://types`	All supported attribute types, categories, and their mappings
`misp://statistics`	MISP instance statistics
`misp://taxonomies`	Available taxonomies (TLP, MITRE ATT&CK, etc.)

Prompts

Prompt	Description
`investigate-ioc`	Deep IOC investigation: search, correlate, check warninglists, summarize threat context
`create-incident-event`	Guided event creation from an incident description with IOC ingestion
`threat-report`	Generate a threat intelligence report from MISP data

Usage Examples

Search for an IOC

"Search MISP for the IP address 203.0.113.50"

Uses misp_search_events and misp_search_attributes to find all events and attributes referencing this IP.

Investigate a suspicious domain

"Investigate evil-domain.com in MISP"

Triggers the investigate-ioc prompt workflow: searches for the domain, checks correlations, queries warninglists, and provides a structured threat assessment.

Create an incident event

"Create a MISP event for a phishing campaign targeting our finance team. The phishing emails came from attacker@evil.com and linked to https://evil-login.com/harvest"

Uses misp_create_event followed by misp_add_attributes_bulk to create a fully populated event.

Export Suricata rules

"Export all IOCs from the last 7 days as Suricata rules"

Uses misp_export_iocs with format "suricata" and last "7d".

Check for false positives

"Is 8.8.8.8 on any MISP warninglists?"

Uses misp_check_warninglists to verify if the value is a known benign indicator.

Supported Attribute Types

Type	Category	Example
`ip-src`	Network activity	Source IP address
`ip-dst`	Network activity	Destination IP address
`domain`	Network activity	Domain name
`hostname`	Network activity	Hostname
`url`	Network activity	Full URL
`email-src`	Payload delivery	Sender email address
`md5`	Payload delivery	MD5 file hash
`sha1`	Payload delivery	SHA1 file hash
`sha256`	Payload delivery	SHA256 file hash
`filename`	Payload delivery	File name

Use misp_describe_types for the complete list of supported types and categories.

Testing

npm test              # Run all tests
npm run test:watch    # Watch mode
npm run lint          # Type check

Project Structure

misp-mcp/
  src/
    index.ts              # MCP server entry point
    config.ts             # Environment config + validation
    client.ts             # MISP REST API client
    types.ts              # MISP API type definitions
    resources.ts          # MCP resources
    prompts.ts            # MCP prompts
    tools/
      events.ts           # Event CRUD tools
      attributes.ts       # Attribute management tools
      correlation.ts      # Correlation & intelligence tools
      tags.ts             # Tag and taxonomy tools
      exports.ts          # Export format tools
      sightings.ts        # Sighting tools
      warninglists.ts     # Warninglist checks
  tests/
    client.test.ts        # API client unit tests
    tools.test.ts         # Tool handler unit tests
  package.json
  tsconfig.json
  tsup.config.ts
  vitest.config.ts
  README.md

License

MIT

misp-mcp

misp-mcp

Features

Prerequisites

Installation

Configuration

Usage

Claude Desktop

Standalone

Development

Tools Reference

Event Tools

Attribute Tools

Correlation & Intelligence Tools

Tag & Taxonomy Tools

Export Tools

Sighting & Warninglist Tools

Resources

Prompts

Usage Examples

Search for an IOC

Investigate a suspicious domain

Create an incident event

Export Suricata rules

Check for false positives

Supported Attribute Types

Testing

Project Structure

License

Reviews