MISP

You can run the MISP MCP Server to empower your MISP instance with powerful model context capabilities. This server exposes a set of tools, prompts, and resources that let you perform IOC lookups, manage events, discover correlations, and export threat intelligence directly from MISP using MCP clients.

How to use

You connect to the MISP MCP Server from your MCP client to perform a wide range of MISP actions through the MCP interface. Practical workflows include searching events and IOCs, creating or updating events, correlating indicators across events, exporting threat intelligence in multiple formats, and running guided prompts for IOC investigations, incident creation, and threat reporting. You can run the server in a local development setup or connect to it via an external client configuration. Use the provided environment variables to point the MCP server at your MISP instance and authenticate with the MISP API key.

How to install

Follow these concrete steps to set up the MISP MCP Server in your environment.

# 1. Clone the project
git clone https://github.com/solomonneas/misp-mcp.git

# 2. Enter the project directory
cd misp-mcp

# 3. Install dependencies
npm install

# 4. Build the server
npm run build

Configuration

Configure your MISP connection by setting the required environment variables. You will supply the MISP base URL and the API key, and you can choose whether to verify SSL certificates (use false if you are using self-signed certificates). Here are the variables you will use.

export MISP_URL=https://misp.example.com
export MISP_API_KEY=your-api-key-here
export MISP_VERIFY_SSL=true  # Set to 'false' for self-signed certificates

Usage examples

You can run the MCP server directly or configure a client to connect to it. For example, you can start the server in a standalone manner using your environment variables and Node. You can also configure a Claude Desktop MCP client to load the server config.

# Standalone run example
MISP_URL=https://misp.example.com MISP_API_KEY=your-key node dist/index.js

# Claude Desktop MCP config example
{
  "mcpServers": {
    "misp": {
      "command": "node",
      "args": ["/path/to/misp-mcp/dist/index.js"],
      "env": {
        "MISP_URL": "https://misp.example.com",
        "MISP_API_KEY": "your-api-key-here",
        "MISP_VERIFY_SSL": "true"
      }
    }
  }
}

Security and best practices

Protect your MISP API key and control access to the MCP server. If you operate in a production environment, prefer enabling SSL verification and restrict API access to trusted clients. Rotate API keys periodically and monitor usage to detect unusual activity.

Troubleshooting notes

If you encounter SSL verification issues in a self-signed environment, set MISP_VERIFY_SSL to false in your environment before starting the server. Ensure the MISP URL is reachable from the MCP server host and that the API key has the necessary permissions.

Notes

Two common ways to run the MCP server are shown: via a Claude Desktop MCP configuration and via a direct Node start. Both approaches rely on the same MCP server binary and environment variables.

Tools reference

The MCP server exposes a broad set of tools for Event, Attribute, Correlation, Tag, Export, Sighting, and Warninglist management, enabling you to perform end-to-end threat intelligence workflows.

Prompts and resources

Leverage guided prompts to investigate IOCs, create incident events, and generate threat intelligence reports. Resources expose types, statistics, and taxonomies to help you understand and structure your data.

Usage hints for connecting from clients

Configure your MCP client with the server’s connection details, including the command path or the HTTP endpoint if you use a remote server. Use the same environment variables to ensure authentication and SSL behavior are consistent.

Supported attribute types and examples

The server supports a wide range of attribute types spanning network activity, payload delivery, and file hashes. You can browse or query available types and categories through the provided resources.

Testing

Run the test suite to verify client integration and tool handlers.

Available tools

misp_search_events

Search events by IOC value, type, tags, date range, and organization

misp_get_event

Retrieve full event details including attributes, objects, galaxies, and related events

misp_create_event

Create a new event with threat level, distribution, and analysis status

misp_update_event

Update event metadata such as info, threat level, analysis, and publish state

misp_publish_event

Publish an event to trigger alerts to sharing partners

misp_tag_event

Add or remove tags from an event

misp_search_attributes

Search IOCs across all events with type, category, and correlation filters

misp_add_attribute

Add a single IOC to an event

misp_add_attributes_bulk

Add multiple IOCs to an event in one operation

misp_delete_attribute

Soft or hard delete an attribute

misp_correlate

Find all events and attributes matching a value, with cross-event correlations

misp_get_related_events

Discover events related through shared IOCs

misp_describe_types

Get all available attribute types and category mappings

misp_list_tags

List available tags with usage statistics

misp_search_by_tag

Find events or attributes by tag

misp_export_iocs

Export IOCs in CSV, STIX, Suricata, Snort, text, or RPZ formats

misp_export_hashes

Export file hashes (MD5, SHA1, SHA256) for HIDS integration

misp_add_sighting

Report a sighting, false positive, or expiration for an IOC

misp_check_warninglists

Check if a value appears on known benign/false positive lists