misp-mcp

misp_add_attribute

Add an IOC (indicator of compromise) to a MISP event by specifying type, value, and event ID. Supports categories, tags, distribution, and IDS flag.

Instructions

Add an IOC/attribute to a MISP event

Input Schema

TableJSON Schema

Name	Required	Description
`eventId`	Yes	Event ID to add the attribute to
`type`	Yes	Attribute type (ip-src, ip-dst, domain, md5, sha256, sha1, url, email-src, hostname, filename, etc.)
`value`	Yes	The IOC value
`category`	No	Category (auto-determined from type if omitted)
`toIds`	No	Flag for IDS export (default true for applicable types)
`comment`	No	Context/notes about this IOC
`distribution`	No	Distribution level (0-4)
`tags`	No	Tags to apply to the attribute

Implementation Reference

src/tools/attributes.ts:86-125 (handler)

The handler function for misp_add_attribute tool. Receives eventId, type, value, category, toIds, comment, distribution, tags params, calls client.addAttribute(), and returns the created attribute's id, event_id, type, category, value, to_ids.

async (params) => {
  try {
    const attribute = await client.addAttribute(params.eventId, {
      type: params.type,
      value: params.value,
      category: params.category,
      to_ids: params.toIds,
      comment: params.comment,
      distribution: params.distribution,
      tags: params.tags,
    });

    return {
      content: [
        {
          type: "text",
          text: JSON.stringify(
            {
              id: attribute.id,
              event_id: attribute.event_id,
              type: attribute.type,
              category: attribute.category,
              value: attribute.value,
              to_ids: attribute.to_ids,
            },
            null,
            2
          ),
        },
      ],
    };
  } catch (err) {
    return {
      content: [
        { type: "text", text: `Error adding attribute: ${err instanceof Error ? err.message : String(err)}` },
      ],
      isError: true,
    };
  }
}

src/tools/attributes.ts:76-85 (schema)

Zod schema defining input parameters for misp_add_attribute: eventId (string), type (string), value (string), category (optional string), toIds (optional boolean), comment (optional string), distribution (optional number), tags (optional string array).

{
  eventId: z.string().describe("Event ID to add the attribute to"),
  type: z.string().describe("Attribute type (ip-src, ip-dst, domain, md5, sha256, sha1, url, email-src, hostname, filename, etc.)"),
  value: z.string().describe("The IOC value"),
  category: z.string().optional().describe("Category (auto-determined from type if omitted)"),
  toIds: z.boolean().optional().describe("Flag for IDS export (default true for applicable types)"),
  comment: z.string().optional().describe("Context/notes about this IOC"),
  distribution: z.number().optional().describe("Distribution level (0-4)"),
  tags: z.array(z.string()).optional().describe("Tags to apply to the attribute"),
},

src/tools/attributes.ts:72-126 (registration)

Registration of the tool as 'misp_add_attribute' on the MCP server via server.tool() with description 'Add an IOC/attribute to a MISP event'.

// Add attribute
server.tool(
  "misp_add_attribute",
  "Add an IOC/attribute to a MISP event",
  {
    eventId: z.string().describe("Event ID to add the attribute to"),
    type: z.string().describe("Attribute type (ip-src, ip-dst, domain, md5, sha256, sha1, url, email-src, hostname, filename, etc.)"),
    value: z.string().describe("The IOC value"),
    category: z.string().optional().describe("Category (auto-determined from type if omitted)"),
    toIds: z.boolean().optional().describe("Flag for IDS export (default true for applicable types)"),
    comment: z.string().optional().describe("Context/notes about this IOC"),
    distribution: z.number().optional().describe("Distribution level (0-4)"),
    tags: z.array(z.string()).optional().describe("Tags to apply to the attribute"),
  },
  async (params) => {
    try {
      const attribute = await client.addAttribute(params.eventId, {
        type: params.type,
        value: params.value,
        category: params.category,
        to_ids: params.toIds,
        comment: params.comment,
        distribution: params.distribution,
        tags: params.tags,
      });

      return {
        content: [
          {
            type: "text",
            text: JSON.stringify(
              {
                id: attribute.id,
                event_id: attribute.event_id,
                type: attribute.type,
                category: attribute.category,
                value: attribute.value,
                to_ids: attribute.to_ids,
              },
              null,
              2
            ),
          },
        ],
      };
    } catch (err) {
      return {
        content: [
          { type: "text", text: `Error adding attribute: ${err instanceof Error ? err.message : String(err)}` },
        ],
        isError: true,
      };
    }
  }
);

src/client.ts:289-329 (helper)

The client.addAttribute() method that makes the actual HTTP POST request to /attributes/add/{eventId} on the MISP API and handles post-add tagging.

async addAttribute(
  eventId: string,
  params: {
    type: string;
    value: string;
    category?: string;
    to_ids?: boolean;
    comment?: string;
    distribution?: number;
    tags?: string[];
  }
): Promise<MispAttribute> {
  const attrData: Record<string, unknown> = {
    type: params.type,
    value: params.value,
  };

  if (params.category) attrData.category = params.category;
  if (params.to_ids !== undefined) attrData.to_ids = params.to_ids;
  if (params.comment) attrData.comment = params.comment;
  if (params.distribution !== undefined)
    attrData.distribution = params.distribution;

  const data = await this.request<{ Attribute: MispAttribute }>(
    "POST",
    `/attributes/add/${encodeId(eventId, "eventId")}`,
    attrData
  );

  // Add tags if specified
  if (params.tags && params.tags.length > 0 && data.Attribute?.id) {
    for (const tag of params.tags) {
      await this.request("POST", "/attributes/addTag", {
        attribute: data.Attribute.id,
        tag,
      });
    }
  }

  return data.Attribute;
}

src/prompts.ts:23-82 (registration)

Prompt text referencing misp_add_attribute as the recommended tool for adding IOCs to events.

              type: "text",
              text: `Investigate the following IOC in MISP: "${ioc}"

${typeHint}

Follow these steps:
1. Use misp_search_attributes to search for this IOC value across all events. If you know the type, filter by it.
2. Use misp_correlate to find all correlations for this value across events.
3. Use misp_check_warninglists to check if this value appears on any known benign/false positive lists.
4. For each event found, note the threat level, tags (especially TLP and MITRE ATT&CK), and related IOCs.
5. If the IOC appears in multiple events, use misp_get_related_events on the most relevant event to discover additional related intelligence.

Provide a structured summary including:
- Whether the IOC was found in MISP and in how many events
- Threat level assessment based on event metadata
- Related IOCs and correlations discovered
- Whether it appears on any warninglists (potential false positive)
- MITRE ATT&CK techniques associated with this IOC
- Recommended next steps for the analyst`,
            },
          },
        ],
      };
    }
  );

  // Create incident event
  server.prompt(
    "create-incident-event",
    "Guided workflow for creating a MISP event from an incident, including adding attributes, tagging, and publishing",
    {
      description: z.string().describe("Description of the incident"),
      iocs: z.string().optional().describe("Comma-separated list of IOCs to add (e.g., '192.168.1.1,evil.com,abc123hash')"),
    },
    ({ description, iocs }) => {
      const iocList = iocs
        ? `\nThe following IOCs should be added: ${iocs}`
        : "\nAsk the analyst for any IOCs (IP addresses, domains, file hashes, URLs) associated with this incident.";

      return {
        messages: [
          {
            role: "user",
            content: {
              type: "text",
              text: `Create a MISP event for the following incident:

"${description}"
${iocList}

Follow these steps:
1. Use misp_create_event with:
   - An informative title based on the incident description
   - Appropriate threat level (1=High for active compromise, 2=Medium for suspicious activity, 3=Low for informational)
   - Analysis status: 0 (Initial)
   - Distribution: 0 (Organization only) to start - can be broadened later

2. For each IOC:
   - Determine the correct attribute type (ip-src, ip-dst, domain, md5, sha256, url, etc.)
   - Use misp_add_attribute (or misp_add_attributes_bulk for multiple) to add them

Tool Definition Quality

B3.1/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries full burden. It only states 'Add an IOC/attribute' without disclosing side effects, permission requirements, error conditions, or return behavior. This is insufficient for an agent to understand risks.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Single sentence, very brief. Efficient but minimal; could benefit from a bit more context without sacrificing conciseness.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

With 8 parameters, no output schema, and no annotations, the description is too sparse. It lacks information on return values, error handling, prerequisites (e.g., event existence), and behavior when adding an attribute to an event. Not complete enough for confident use.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Input schema covers all 8 parameters with descriptions (100% coverage). The description adds no extra meaning beyond the schema, meeting the baseline for high coverage.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description 'Add an IOC/attribute to a MISP event' clearly specifies the verb (Add), resource (IOC/attribute to a MISP event), and distinguishes from siblings like misp_add_attributes_bulk (bulk addition) and misp_add_object (add object).

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No explicit guidance on when to use this tool versus alternatives like misp_add_attributes_bulk or misp_add_object. The description does not mention prerequisites, typical use cases, or limitations.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/solomonneas/misp-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server