Schema | misp-mcp

misp-mcp

Overview Schema Related Servers Score Discussions

Server Configuration

Describes the environment variables required to run the server.

Name	Required	Description	Default
`MISP_URL`	Yes	MISP instance base URL
`MISP_API_KEY`	Yes	API authentication key
`MISP_VERIFY_SSL`	No	Set to 'false' for self-signed certificates	true

Capabilities

Features and capabilities supported by this server

Capability	Details
`tools`	{ "listChanged": true }
`prompts`	{ "listChanged": true }
`resources`	{ "listChanged": true }

Tools

Functions exposed to the LLM to take actions

Name	Description
misp_search_eventsB	Search MISP events by IOC value, type, tags, date range, or organization
misp_get_eventA	Get full details of a specific MISP event including all attributes, objects, tags, and related events
misp_create_eventA	Create a new MISP event for documenting incidents or threat intelligence. Does not publish - use misp_publish_event separately.
misp_update_eventA	Update an existing MISP event's metadata (info, threat level, analysis status). Publishing is separate - use misp_publish_event.
misp_publish_eventA	Publish a MISP event, triggering alerts and notifications to sharing partners
misp_tag_eventB	Add or remove a tag from a MISP event (TLP, MITRE ATT&CK, custom tags)
misp_search_attributesB	Search for specific attributes (IOCs) across all MISP events
misp_add_attributeB	Add an IOC/attribute to a MISP event
misp_add_attributes_bulkB	Add multiple attributes (IOCs) to a MISP event at once
misp_delete_attributeB	Delete (soft or hard) an attribute from MISP
misp_correlateB	Find correlations for a specific observable value across all MISP events
misp_get_related_eventsA	Get events related to a specific event through shared attributes and correlations
misp_describe_typesA	Get all available MISP attribute types and categories with their mappings
misp_list_tagsB	List available MISP tags with usage statistics
misp_search_by_tagA	Search MISP events or attributes by tag (MITRE ATT&CK, TLP, custom tags)
misp_export_iocsB	Export IOCs from MISP in various formats (CSV, STIX, Suricata, Snort, text, RPZ)
misp_export_hashesB	Export file hashes from MISP for HIDS integration
misp_add_sightingB	Report a sighting of an IOC (confirms it was observed in the wild, marks as false positive, or sets expiration)
misp_check_warninglistsA	Check if an observable value appears on any MISP warninglists (known benign/false positive lists)
misp_list_object_templatesB	List available MISP object templates (file, domain-ip, email, network-connection, etc.)
misp_get_object_templateA	Get details of a specific MISP object template including required and optional attributes
misp_add_objectA	Add a MISP object (structured group of attributes) to an event
misp_delete_objectB	Delete a MISP object from an event
misp_list_galaxiesA	List available MISP galaxies (MITRE ATT&CK, threat actors, malware families, tools, etc.)
misp_get_galaxyB	Get a specific galaxy with its clusters (e.g., MITRE ATT&CK techniques, threat actor profiles)
misp_search_galaxy_clustersB	Search galaxy clusters by keyword (find specific MITRE ATT&CK techniques, threat actors, malware, etc.)
misp_attach_galaxy_clusterB	Attach a galaxy cluster (MITRE ATT&CK technique, threat actor, etc.) to an event or attribute
misp_list_feedsB	List configured MISP feeds (threat intel sources, IOC feeds, etc.)
misp_toggle_feedB	Enable or disable a MISP feed
misp_fetch_feedA	Trigger a fetch/pull of data from a specific MISP feed
misp_cache_feedA	Cache feed data locally for correlation without creating events
misp_list_organisationsB	List MISP organisations (local and remote sharing partners)
misp_get_organisationB	Get details of a specific MISP organisation
misp_server_statusA	Get MISP server version, status, and diagnostic information
misp_list_sharing_groupsB	List MISP sharing groups for controlled event distribution
misp_delete_eventC	Delete a MISP event (requires appropriate permissions)

Prompts

Interactive templates invoked by user choice

Name	Description
`investigate-ioc`	Deep investigation of an IOC across MISP - searches for the indicator, finds correlations, checks warninglists, and summarizes threat context
`create-incident-event`	Guided workflow for creating a MISP event from an incident, including adding attributes, tagging, and publishing
`threat-report`	Generate a threat intelligence report from MISP data by aggregating events, extracting IOC patterns, and summarizing the threat landscape

Resources

Contextual data attached and managed by the client

Name	Description
`types`	All supported MISP attribute types and categories with their mappings
`statistics`	MISP instance capability summary (supported attribute types and categories). Use misp_search_events for actual counts.
`taxonomies`	Available MISP taxonomies (TLP, MITRE ATT&CK, etc.)

Server Configuration
Capabilities
Tools
Prompts
Resources

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/solomonneas/misp-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server