MISP MCP Server

Interact with MISP for threat intelligence sharing, IOC lookups, and management.

monitoringmispthreat-intelligencecybersecurityioc
README.md

misp-mcp

An MCP (Model Context Protocol) server for MISP (Malware Information Sharing Platform & Threat Intelligence Sharing). Enables LLMs to perform IOC lookups, manage events, discover correlations, and export threat intelligence directly from your MISP instance.

Features

  • 36 MCP Tools covering events, attributes, correlations, tags, exports, sightings, warninglists, objects, galaxies, feeds, organisations, and server management
  • 3 MCP Resources for browsing attribute types, instance statistics, and available taxonomies
  • 3 MCP Prompts for guided IOC investigation, incident event creation, and threat reporting
  • SSL Flexibility for self-signed certificates common in MISP deployments
  • Export Formats including CSV, STIX, Suricata, Snort, text, RPZ, and hash lists
  • MITRE ATT&CK Integration via galaxy cluster search and attachment
  • Bulk Operations for adding multiple IOCs to events in a single call
  • Correlation Engine for discovering cross-event relationships through shared indicators

Prerequisites

  • Node.js 20 or later
  • A running MISP instance with API access
  • MISP API key (generated from MISP UI: Administration > List Auth Keys)

Installation

git clone https://github.com/solomonneas/misp-mcp.git
cd misp-mcp
npm install
npm run build

Configuration

Set the following environment variables:

export MISP_URL=https://misp.example.com
export MISP_API_KEY=your-api-key-here
export MISP_VERIFY_SSL=true  # Set to 'false' for self-signed certificates
Variable Required Default Description
MISP_URL Yes - MISP instance base URL
MISP_API_KEY Yes - API authentication key
MISP_VERIFY_SSL No true Set false for self-signed certs
MISP_TIMEOUT No 30 Request timeout in seconds

Usage

Claude Desktop

Add to your Claude Desktop MCP config (claude_desktop_config.json):

{
  "mcpServers": {
    "misp": {
      "command": "node",
      "args": ["/path/to/misp-mcp/dist/index.js"],
      "env": {
        "MISP_URL": "https://misp.example.com",
        "MISP_API_KEY": "your-api-key-here",
        "MISP_VERIFY_SSL": "false"
      }
    }
  }
}

OpenClaw

Add to your openclaw.json MCP servers:

{
  "mcp": {
    "servers": {
      "misp": {
        "command": "node",
        "args": ["/path/to/misp-mcp/dist/index.js"],
        "env": {
          "MISP_URL": "https://misp.example.com",
          "MISP_API_KEY": "your-api-key-here",
          "MISP_VERIFY_SSL": "false"
        }
      }
    }
  }
}

Standalone

MISP_URL=https://misp.example.com MISP_API_KEY=your-key node dist/index.js

Docker

docker build -t misp-mcp .
docker run -e MISP_URL=https://misp.example.com -e MISP_API_KEY=your-key -e MISP_VERIFY_SSL=false misp-mcp

Development

MISP_URL=https://misp.example.com MISP_API_KEY=your-key npm run dev

Tools Reference

Event Tools (6)

Tool Description
misp_search_events Search events by IOC value, type, tags, date range, organization
misp_get_event Get full event details including attributes, objects, galaxies, related events
misp_create_event Create a new event with threat level, distribution, and analysis status
misp_update_event Update event metadata (info, threat level, analysis, publish state)
misp_publish_event Publish an event to trigger alerts to sharing partners
misp_tag_event Add or remove tags (TLP, MITRE ATT&CK, custom) from an event

Attribute Tools (4)

Tool Description
misp_search_attributes Search IOCs across all events with type, category, and correlation filters
misp_add_attribute Add a single IOC to an event
misp_add_attributes_bulk Add multiple IOCs to an event in one operation
misp_delete_attribute Soft or hard delete an attribute

Correlation & Intelligence Tools (3)

Tool Description
misp_correlate Find all events and attributes matching a value, with cross-event correlations
misp_get_related_events Discover events related through shared IOCs
misp_describe_types Get all available attribute types and category mappings

Tag & Taxonomy Tools (2)

Tool Description
misp_list_tags List available tags with usage statistics
misp_search_by_tag Find events or attributes by tag

Export Tool

Tools 5

misp_search_eventsSearch events by IOC value, type, tags, date range, or organization.
misp_get_eventGet full event details including attributes, objects, galaxies, and related events.
misp_create_eventCreate a new event with threat level, distribution, and analysis status.
misp_search_attributesSearch IOCs across all events with type, category, and correlation filters.
misp_correlateFind all events and attributes matching a value, with cross-event correlations.

Environment Variables

MISP_URLrequiredMISP instance base URL
MISP_API_KEYrequiredAPI authentication key
MISP_VERIFY_SSLSet false for self-signed certs
MISP_TIMEOUTRequest timeout in seconds

Try it

Search for recent events related to the IP address 192.168.1.1.
Create a new MISP event for the current incident with a high threat level.
Find all events related to the 'APT28' tag and summarize the findings.
Check if there are any correlations for the file hash provided in the latest report.

Frequently Asked Questions

What are the key features of MISP MCP?

36 MCP tools for comprehensive MISP event and attribute management. Correlation engine for discovering cross-event relationships. Support for multiple export formats including STIX, Suricata, and CSV. MITRE ATT&CK integration via galaxy cluster search. SSL flexibility for self-signed certificate environments.

What can I use MISP MCP for?

Automating the lookup of IOCs during incident response investigations. Streamlining the creation of threat intelligence events from analyst reports. Discovering relationships between disparate security events using the correlation engine. Exporting threat intelligence data for use in network security appliances like Suricata.

How do I install MISP MCP?

Install MISP MCP by running: git clone https://github.com/solomonneas/misp-mcp.git && cd misp-mcp && npm install && npm run build

What MCP clients work with MISP MCP?

MISP MCP works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep MISP MCP docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Open Conare

Related MCP Servers

Skylos
Find dead code, secrets, and exploitable flows in Python, TypeScript, and Go.
monitoring344 stars
Linux MCP Server
Read-only Linux system administration and diagnostics on RHEL-based systems.
monitoring189 stars
Charles MCP Server
Integrates Charles Proxy with MCP clients for real-time network traffic analysis
monitoring118 stars
Android Proxy MCP
Capture and analyze HTTP/HTTPS traffic from Android devices with AI.
monitoring118 stars
Langfuse MCP
MCP server for Langfuse observability and LLM application management.
monitoring66 stars
HomeButler
All-in-one homelab management MCP server.
monitoring64 stars