import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { z } from "zod";
export function registerPrompts(server: McpServer): void {
// Investigate IOC
server.prompt(
"investigate-ioc",
"Deep investigation of an IOC across MISP - searches for the indicator, finds correlations, checks warninglists, and summarizes threat context",
{
ioc: z.string().describe("The IOC value to investigate (IP, domain, hash, URL, email, etc.)"),
iocType: z.string().optional().describe("IOC type hint (ip-src, domain, md5, sha256, url, etc.)"),
},
({ ioc, iocType }) => {
const typeHint = iocType
? `The IOC type is "${iocType}".`
: "Determine the IOC type from the value format.";
return {
messages: [
{
role: "user",
content: {
type: "text",
text: `Investigate the following IOC in MISP: "${ioc}"
${typeHint}
Follow these steps:
1. Use misp_search_attributes to search for this IOC value across all events. If you know the type, filter by it.
2. Use misp_correlate to find all correlations for this value across events.
3. Use misp_check_warninglists to check if this value appears on any known benign/false positive lists.
4. For each event found, note the threat level, tags (especially TLP and MITRE ATT&CK), and related IOCs.
5. If the IOC appears in multiple events, use misp_get_related_events on the most relevant event to discover additional related intelligence.
Provide a structured summary including:
- Whether the IOC was found in MISP and in how many events
- Threat level assessment based on event metadata
- Related IOCs and correlations discovered
- Whether it appears on any warninglists (potential false positive)
- MITRE ATT&CK techniques associated with this IOC
- Recommended next steps for the analyst`,
},
},
],
};
}
);
// Create incident event
server.prompt(
"create-incident-event",
"Guided workflow for creating a MISP event from an incident, including adding attributes, tagging, and publishing",
{
description: z.string().describe("Description of the incident"),
iocs: z.string().optional().describe("Comma-separated list of IOCs to add (e.g., '192.168.1.1,evil.com,abc123hash')"),
},
({ description, iocs }) => {
const iocList = iocs
? `\nThe following IOCs should be added: ${iocs}`
: "\nAsk the analyst for any IOCs (IP addresses, domains, file hashes, URLs) associated with this incident.";
return {
messages: [
{
role: "user",
content: {
type: "text",
text: `Create a MISP event for the following incident:
"${description}"
${iocList}
Follow these steps:
1. Use misp_create_event with:
- An informative title based on the incident description
- Appropriate threat level (1=High for active compromise, 2=Medium for suspicious activity, 3=Low for informational)
- Analysis status: 0 (Initial)
- Distribution: 0 (Organization only) to start - can be broadened later
2. For each IOC:
- Determine the correct attribute type (ip-src, ip-dst, domain, md5, sha256, url, etc.)
- Use misp_add_attribute (or misp_add_attributes_bulk for multiple) to add them
- Use misp_check_warninglists to verify none are known false positives
3. Add appropriate tags using misp_tag_event:
- TLP tag (tlp:white, tlp:green, tlp:amber, tlp:red)
- Relevant MITRE ATT&CK technique tags if applicable
- Any organization-specific tags
4. Summarize what was created:
- Event ID and title
- Number of attributes added
- Tags applied
- Ask if the analyst wants to publish (misp_publish_event) or keep as draft`,
},
},
],
};
}
);
// Threat report
server.prompt(
"threat-report",
"Generate a threat intelligence report from MISP data by aggregating events, extracting IOC patterns, and summarizing the threat landscape",
{
eventId: z.string().optional().describe("Specific event ID to report on"),
tag: z.string().optional().describe("Filter by tag (e.g., mitre-attack:T1059, tlp:amber)"),
dateRange: z.string().optional().describe("Date range or relative time (e.g., '7d', '30d', '2024-01-01 to 2024-01-31')"),
},
({ eventId, tag, dateRange }) => {
let scopeInstructions: string;
if (eventId) {
scopeInstructions = `Focus on event ID ${eventId}. Use misp_get_event to get full details, then misp_get_related_events for context.`;
} else if (tag) {
scopeInstructions = `Focus on events tagged with "${tag}". Use misp_search_by_tag to find matching events.`;
} else if (dateRange) {
const isRelative = /^\d+[dmhwy]$/.test(dateRange);
if (isRelative) {
scopeInstructions = `Focus on events from the last ${dateRange}. Use misp_search_events with last="${dateRange}".`;
} else {
scopeInstructions = `Focus on events in the date range: ${dateRange}. Use misp_search_events with appropriate dateFrom/dateTo.`;
}
} else {
scopeInstructions = `Generate a report on recent threat activity. Use misp_search_events with last="7d" to get the latest events.`;
}
return {
messages: [
{
role: "user",
content: {
type: "text",
text: `Generate a threat intelligence report from MISP data.
${scopeInstructions}
Report structure:
1. **Executive Summary**: Brief overview of the threat landscape for the specified scope
2. **Key Events**: List the most significant events with threat levels and descriptions
3. **IOC Summary**:
- Use misp_search_attributes to aggregate IOC types and counts
- List the most significant indicators by type (IPs, domains, hashes, URLs)
4. **MITRE ATT&CK Coverage**: List any ATT&CK techniques observed across the events
5. **Correlations**: Use misp_correlate on high-value IOCs to discover cross-event links
6. **Recommendations**:
- Immediate blocking actions (IPs, domains to block)
- Detection rules needed
- Areas requiring further investigation
Format the report in clear markdown with headers and tables where appropriate.`,
},
},
],
};
}
);
}
