Which integrations are available for this server?

Provides tools to export threat intelligence Indicators of Compromise (IOCs) from a MISP instance in Snort format, facilitating integration with network intrusion detection and prevention systems.

How do I use misp-mcp?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@misp-mcp Check if the domain malicious-site.com has any correlations or sightings" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

misp-mcp

TypeScript Node.js MCP SDK License: MIT

An MCP (Model Context Protocol) server for MISP (Malware Information Sharing Platform & Threat Intelligence Sharing). Enables LLMs to perform IOC lookups, manage events, discover correlations, and export threat intelligence directly from your MISP instance.

Features

18 MCP Tools - Full MISP API coverage: events, attributes, correlations, tags, exports, sightings, warninglists
3 MCP Resources - Browse attribute types, instance statistics, and available taxonomies
3 MCP Prompts - Guided workflows for IOC investigation, incident event creation, and threat reporting
SSL Flexibility - Handles self-signed certificates common in MISP deployments
Export Formats - CSV, STIX, Suricata, Snort, text, RPZ, and hash lists
Bulk Operations - Add multiple IOCs to events in a single call
Correlation Engine - Discover cross-event relationships through shared indicators

Prerequisites

Node.js 20 or later
A running MISP instance with API access
MISP API key (generated from MISP UI: Administration > List Auth Keys)

Installation

git clone https://github.com/solomonneas/misp-mcp.git cd misp-mcp npm install npm run build

Configuration

Set the following environment variables:

export MISP_URL=https://misp.example.com export MISP_API_KEY=your-api-key-here export MISP_VERIFY_SSL=true # Set to 'false' for self-signed certificates

Variable	Required	Default	Description
`MISP_URL`	Yes	-	MISP instance base URL
`MISP_API_KEY`	Yes	-	API authentication key
`MISP_VERIFY_SSL`	No	`true`	Set `false` for self-signed certs

Usage

Claude Desktop

Add to your Claude Desktop MCP config (claude_desktop_config.json):

{ "mcpServers": { "misp": { "command": "node", "args": ["/path/to/misp-mcp/dist/index.js"], "env": { "MISP_URL": "https://misp.example.com", "MISP_API_KEY": "your-api-key-here", "MISP_VERIFY_SSL": "true" } } } }

Standalone

MISP_URL=https://misp.example.com MISP_API_KEY=your-key node dist/index.js

Development

MISP_URL=https://misp.example.com MISP_API_KEY=your-key npm run dev

Tools Reference

Event Tools

Tool	Description
`misp_search_events`	Search events by IOC value, type, tags, date range, organization
`misp_get_event`	Get full event details including attributes, objects, galaxies, related events
`misp_create_event`	Create a new event with threat level, distribution, and analysis status
`misp_update_event`	Update event metadata (info, threat level, analysis, publish state)
`misp_publish_event`	Publish an event to trigger alerts to sharing partners
`misp_tag_event`	Add or remove tags (TLP, MITRE ATT&CK, custom) from an event

Attribute Tools

Tool	Description
`misp_search_attributes`	Search IOCs across all events with type, category, and correlation filters
`misp_add_attribute`	Add a single IOC to an event
`misp_add_attributes_bulk`	Add multiple IOCs to an event in one operation
`misp_delete_attribute`	Soft or hard delete an attribute

Correlation & Intelligence Tools

Tool	Description
`misp_correlate`	Find all events and attributes matching a value, with cross-event correlations
`misp_get_related_events`	Discover events related through shared IOCs
`misp_describe_types`	Get all available attribute types and category mappings

Tag & Taxonomy Tools

Tool	Description
`misp_list_tags`	List available tags with usage statistics
`misp_search_by_tag`	Find events or attributes by tag

Export Tools

Tool	Description
`misp_export_iocs`	Export IOCs in CSV, STIX, Suricata, Snort, text, or RPZ format
`misp_export_hashes`	Export file hashes (MD5, SHA1, SHA256) for HIDS integration

Sighting & Warninglist Tools

Tool	Description
`misp_add_sighting`	Report a sighting, false positive, or expiration for an IOC
`misp_check_warninglists`	Check if a value appears on known benign/false positive lists

Resources

Resource URI	Description
`misp://types`	All supported attribute types, categories, and their mappings
`misp://statistics`	MISP instance statistics
`misp://taxonomies`	Available taxonomies (TLP, MITRE ATT&CK, etc.)

Prompts

Prompt	Description
`investigate-ioc`	Deep IOC investigation: search, correlate, check warninglists, summarize threat context
`create-incident-event`	Guided event creation from an incident description with IOC ingestion
`threat-report`	Generate a threat intelligence report from MISP data

Usage Examples

Search for an IOC

"Search MISP for the IP address 203.0.113.50"

Uses misp_search_events and misp_search_attributes to find all events and attributes referencing this IP.

Investigate a suspicious domain

"Investigate evil-domain.com in MISP"

Triggers the investigate-ioc prompt workflow: searches for the domain, checks correlations, queries warninglists, and provides a structured threat assessment.

Create an incident event

"Create a MISP event for a phishing campaign targeting our finance team. The phishing emails came from attacker@evil.com and linked to https://evil-login.com/harvest"

Uses misp_create_event followed by misp_add_attributes_bulk to create a fully populated event.

Export Suricata rules

"Export all IOCs from the last 7 days as Suricata rules"

Uses misp_export_iocs with format "suricata" and last "7d".

Check for false positives

"Is 8.8.8.8 on any MISP warninglists?"

Uses misp_check_warninglists to verify if the value is a known benign indicator.

Supported Attribute Types

Type	Category	Example
`ip-src`	Network activity	Source IP address
`ip-dst`	Network activity	Destination IP address
`domain`	Network activity	Domain name
`hostname`	Network activity	Hostname
`url`	Network activity	Full URL
`email-src`	Payload delivery	Sender email address
`md5`	Payload delivery	MD5 file hash
`sha1`	Payload delivery	SHA1 file hash
`sha256`	Payload delivery	SHA256 file hash
`filename`	Payload delivery	File name

Use misp_describe_types for the complete list of supported types and categories.

Testing

npm test # Run all tests npm run test:watch # Watch mode npm run lint # Type check

Project Structure

misp-mcp/ src/ index.ts # MCP server entry point config.ts # Environment config + validation client.ts # MISP REST API client types.ts # MISP API type definitions resources.ts # MCP resources prompts.ts # MCP prompts tools/ events.ts # Event CRUD tools attributes.ts # Attribute management tools correlation.ts # Correlation & intelligence tools tags.ts # Tag and taxonomy tools exports.ts # Export format tools sightings.ts # Sighting tools warninglists.ts # Warninglist checks tests/ client.test.ts # API client unit tests tools.test.ts # Tool handler unit tests package.json tsconfig.json tsup.config.ts vitest.config.ts README.md

License

MIT

Install Server

A

security – no known vulnerabilities

F

license - not found

A

quality - confirmed to work

How are these scores calculated?

Resources

GitHub Repository

Need Help?

Report Issue

Related Servers

Tools

View all tools

misp-mcp

misp-mcp

Features

Prerequisites

Installation

Configuration

Usage

Claude Desktop

Standalone

Development

Tools Reference

Event Tools

Attribute Tools

Correlation & Intelligence Tools

Tag & Taxonomy Tools

Export Tools

Sighting & Warninglist Tools

Resources

Prompts

Usage Examples

Search for an IOC

Investigate a suspicious domain

Create an incident event

Export Suricata rules

Check for false positives

Supported Attribute Types

Testing

Project Structure

License

Resources

Tools

New MCP Servers

Latest Blog Posts

MCP directory API