misp-mcp

misp-mcp

An MCP server that enables LLMs to interact with MISP for threat intelligence sharing, IOC lookups, and event management. It provides tools for investigating indicators, discovering correlations, and exporting intelligence in formats like STIX and Suricata.

Category
Visit Server

README

misp-mcp

TypeScript Node.js MCP SDK License: MIT

An MCP (Model Context Protocol) server for MISP (Malware Information Sharing Platform & Threat Intelligence Sharing). Enables LLMs to perform IOC lookups, manage events, discover correlations, and export threat intelligence directly from your MISP instance.

Features

  • 18 MCP Tools - Full MISP API coverage: events, attributes, correlations, tags, exports, sightings, warninglists
  • 3 MCP Resources - Browse attribute types, instance statistics, and available taxonomies
  • 3 MCP Prompts - Guided workflows for IOC investigation, incident event creation, and threat reporting
  • SSL Flexibility - Handles self-signed certificates common in MISP deployments
  • Export Formats - CSV, STIX, Suricata, Snort, text, RPZ, and hash lists
  • Bulk Operations - Add multiple IOCs to events in a single call
  • Correlation Engine - Discover cross-event relationships through shared indicators

Prerequisites

  • Node.js 20 or later
  • A running MISP instance with API access
  • MISP API key (generated from MISP UI: Administration > List Auth Keys)

Installation

git clone https://github.com/solomonneas/misp-mcp.git
cd misp-mcp
npm install
npm run build

Configuration

Set the following environment variables:

export MISP_URL=https://misp.example.com
export MISP_API_KEY=your-api-key-here
export MISP_VERIFY_SSL=true  # Set to 'false' for self-signed certificates
Variable Required Default Description
MISP_URL Yes - MISP instance base URL
MISP_API_KEY Yes - API authentication key
MISP_VERIFY_SSL No true Set false for self-signed certs

Usage

Claude Desktop

Add to your Claude Desktop MCP config (claude_desktop_config.json):

{
  "mcpServers": {
    "misp": {
      "command": "node",
      "args": ["/path/to/misp-mcp/dist/index.js"],
      "env": {
        "MISP_URL": "https://misp.example.com",
        "MISP_API_KEY": "your-api-key-here",
        "MISP_VERIFY_SSL": "true"
      }
    }
  }
}

Standalone

MISP_URL=https://misp.example.com MISP_API_KEY=your-key node dist/index.js

Development

MISP_URL=https://misp.example.com MISP_API_KEY=your-key npm run dev

Tools Reference

Event Tools

Tool Description
misp_search_events Search events by IOC value, type, tags, date range, organization
misp_get_event Get full event details including attributes, objects, galaxies, related events
misp_create_event Create a new event with threat level, distribution, and analysis status
misp_update_event Update event metadata (info, threat level, analysis, publish state)
misp_publish_event Publish an event to trigger alerts to sharing partners
misp_tag_event Add or remove tags (TLP, MITRE ATT&CK, custom) from an event

Attribute Tools

Tool Description
misp_search_attributes Search IOCs across all events with type, category, and correlation filters
misp_add_attribute Add a single IOC to an event
misp_add_attributes_bulk Add multiple IOCs to an event in one operation
misp_delete_attribute Soft or hard delete an attribute

Correlation & Intelligence Tools

Tool Description
misp_correlate Find all events and attributes matching a value, with cross-event correlations
misp_get_related_events Discover events related through shared IOCs
misp_describe_types Get all available attribute types and category mappings

Tag & Taxonomy Tools

Tool Description
misp_list_tags List available tags with usage statistics
misp_search_by_tag Find events or attributes by tag

Export Tools

Tool Description
misp_export_iocs Export IOCs in CSV, STIX, Suricata, Snort, text, or RPZ format
misp_export_hashes Export file hashes (MD5, SHA1, SHA256) for HIDS integration

Sighting & Warninglist Tools

Tool Description
misp_add_sighting Report a sighting, false positive, or expiration for an IOC
misp_check_warninglists Check if a value appears on known benign/false positive lists

Resources

Resource URI Description
misp://types All supported attribute types, categories, and their mappings
misp://statistics MISP instance statistics
misp://taxonomies Available taxonomies (TLP, MITRE ATT&CK, etc.)

Prompts

Prompt Description
investigate-ioc Deep IOC investigation: search, correlate, check warninglists, summarize threat context
create-incident-event Guided event creation from an incident description with IOC ingestion
threat-report Generate a threat intelligence report from MISP data

Usage Examples

Search for an IOC

"Search MISP for the IP address 203.0.113.50"

Uses misp_search_events and misp_search_attributes to find all events and attributes referencing this IP.

Investigate a suspicious domain

"Investigate evil-domain.com in MISP"

Triggers the investigate-ioc prompt workflow: searches for the domain, checks correlations, queries warninglists, and provides a structured threat assessment.

Create an incident event

"Create a MISP event for a phishing campaign targeting our finance team. The phishing emails came from attacker@evil.com and linked to https://evil-login.com/harvest"

Uses misp_create_event followed by misp_add_attributes_bulk to create a fully populated event.

Export Suricata rules

"Export all IOCs from the last 7 days as Suricata rules"

Uses misp_export_iocs with format "suricata" and last "7d".

Check for false positives

"Is 8.8.8.8 on any MISP warninglists?"

Uses misp_check_warninglists to verify if the value is a known benign indicator.

Supported Attribute Types

Type Category Example
ip-src Network activity Source IP address
ip-dst Network activity Destination IP address
domain Network activity Domain name
hostname Network activity Hostname
url Network activity Full URL
email-src Payload delivery Sender email address
md5 Payload delivery MD5 file hash
sha1 Payload delivery SHA1 file hash
sha256 Payload delivery SHA256 file hash
filename Payload delivery File name

Use misp_describe_types for the complete list of supported types and categories.

Testing

npm test              # Run all tests
npm run test:watch    # Watch mode
npm run lint          # Type check

Project Structure

misp-mcp/
  src/
    index.ts              # MCP server entry point
    config.ts             # Environment config + validation
    client.ts             # MISP REST API client
    types.ts              # MISP API type definitions
    resources.ts          # MCP resources
    prompts.ts            # MCP prompts
    tools/
      events.ts           # Event CRUD tools
      attributes.ts       # Attribute management tools
      correlation.ts      # Correlation & intelligence tools
      tags.ts             # Tag and taxonomy tools
      exports.ts          # Export format tools
      sightings.ts        # Sighting tools
      warninglists.ts     # Warninglist checks
  tests/
    client.test.ts        # API client unit tests
    tools.test.ts         # Tool handler unit tests
  package.json
  tsconfig.json
  tsup.config.ts
  vitest.config.ts
  README.md

License

MIT

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured