Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| MISP_URL | Yes | MISP instance base URL | |
| MISP_API_KEY | Yes | API authentication key | |
| MISP_VERIFY_SSL | No | Set to 'false' for self-signed certificates | true |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
| prompts | {
"listChanged": true
} |
| resources | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| misp_search_events | Search MISP events by IOC value, type, tags, date range, or organization |
| misp_get_event | Get full details of a specific MISP event including all attributes, objects, tags, and related events |
| misp_create_event | Create a new MISP event for documenting incidents or threat intelligence |
| misp_update_event | Update an existing MISP event's metadata (info, threat level, analysis status, publish state) |
| misp_publish_event | Publish a MISP event, triggering alerts and notifications to sharing partners |
| misp_tag_event | Add or remove a tag from a MISP event (TLP, MITRE ATT&CK, custom tags) |
| misp_search_attributes | Search for specific attributes (IOCs) across all MISP events |
| misp_add_attribute | Add an IOC/attribute to a MISP event |
| misp_add_attributes_bulk | Add multiple attributes (IOCs) to a MISP event at once |
| misp_delete_attribute | Delete (soft or hard) an attribute from MISP |
| misp_correlate | Find correlations for a specific observable value across all MISP events |
| misp_get_related_events | Get events related to a specific event through shared attributes and correlations |
| misp_describe_types | Get all available MISP attribute types and categories with their mappings |
| misp_list_tags | List available MISP tags with usage statistics |
| misp_search_by_tag | Search MISP events or attributes by tag (MITRE ATT&CK, TLP, custom tags) |
| misp_export_iocs | Export IOCs from MISP in various formats (CSV, STIX, Suricata, Snort, text, RPZ) |
| misp_export_hashes | Export file hashes from MISP for HIDS integration |
| misp_add_sighting | Report a sighting of an IOC (confirms it was observed in the wild, marks as false positive, or sets expiration) |
| misp_check_warninglists | Check if an observable value appears on any MISP warninglists (known benign/false positive lists) |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| investigate-ioc | Deep investigation of an IOC across MISP - searches for the indicator, finds correlations, checks warninglists, and summarizes threat context |
| create-incident-event | Guided workflow for creating a MISP event from an incident, including adding attributes, tagging, and publishing |
| threat-report | Generate a threat intelligence report from MISP data by aggregating events, extracting IOC patterns, and summarizing the threat landscape |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| types | All supported MISP attribute types and categories with their mappings |
| statistics | MISP instance statistics (event count, attribute count, organization info) |
| taxonomies | Available MISP taxonomies (TLP, MITRE ATT&CK, etc.) |