misp-mcp

Active

MCP server for MISP - threat-intelligence sharing and lookups.

GitHub repo → npm: misp-mcp →
npm i -g misp-mcp

WHAT IT DOES

misp-mcp is a Model Context Protocol server for MISP, the open-source threat-intelligence sharing platform. It lets an LLM run IOC lookups, create and manage events, discover cross-event correlations, and export indicators directly from your MISP instance.

It exposes 36 tools, 3 resources, and 3 guided prompts spanning events, attributes, correlations, tags, exports, sightings, warninglists, objects, galaxies, feeds, organisations, and server management. MITRE ATT&CK is wired in through galaxy-cluster search and attachment, and a correlation engine surfaces relationships through shared indicators.

State-changing and destructive tools (delete, publish, tag-removal) are guarded: they refuse to run without an explicit confirm: true, and permanent hard deletes require a second confirmHard: true. SSL verification is flexible for the self-signed certs common in MISP deployments.

INSTALL

Published to npm. Install globally to get the misp-mcp binary, or run it on demand with npx. Requires Node.js 20+ and a MISP instance with API access plus an API key (Administration > List Auth Keys).

$ npm i -g misp-mcp # install the server binary
$ npx misp-mcp # or run it without installing

Configure with MISP_URL and MISP_API_KEY. Set MISP_VERIFY_SSL=false for self-signed certs.

CLIENT CONFIG

A sample mcpServers entry (Claude Desktop, or any MCP client that reads the same shape). It runs the installed binary over stdio. 

{
  "mcpServers": {
    "misp": {
      "command": "misp-mcp",
      "env": {
        "MISP_URL": "https://misp.example.com",
        "MISP_API_KEY": "your-api-key-here",
        "MISP_VERIFY_SSL": "false"
      }
    }
  }
}

For Claude Code use claude mcp add misp ... -- misp-mcp. The repo README also documents OpenClaw, Codex CLI, Hermes Agent, and Docker.

CAPABILITIES / TOOLS EXPOSED

36 MCP tools across events, attributes, correlation, exports, tags, objects, galaxies, feeds, and server admin. Grouped below; see the README for the full per-argument reference.

Events

misp_search_events / misp_get_event
Search events by IOC, type, tag, date, or org; pull full event detail with attributes and galaxies.
misp_create_event / misp_update_event
Create and update events with threat level, distribution, and analysis status.
misp_publish_event / misp_tag_event
Publish to sharing partners and add/remove TLP, ATT&CK, or custom tags (guarded).

Attributes & correlation

misp_search_attributes / misp_add_attribute / misp_add_attributes_bulk
Search IOCs across events; add one or many indicators in a single call.
misp_correlate / misp_get_related_events
Find everything matching a value and discover events linked through shared IOCs.
misp_delete_attribute
Soft or hard delete an attribute (confirmation-gated).

Exports & sightings

misp_export_iocs
Export IOCs as CSV, STIX, Suricata, Snort, text, or RPZ.
misp_export_hashes
Export MD5/SHA1/SHA256 hashes for HIDS integration.
misp_add_sighting / misp_check_warninglists
Report sightings/false positives; check values against benign lists.

Tags, objects & galaxies

misp_list_tags / misp_search_by_tag
List tags with usage stats and find events/attributes by tag.
misp_list_object_templates / misp_add_object / misp_delete_object
Browse templates and add or remove structured (grouped) objects.
misp_search_galaxy_clusters / misp_attach_galaxy_cluster
Find MITRE ATT&CK techniques and threat actors, then attach them to events.

Feeds, orgs & server

misp_list_feeds / misp_toggle_feed / misp_fetch_feed / misp_cache_feed
Manage threat-intel feeds: list, enable, fetch, and cache for correlation.
misp_list_organisations / misp_list_sharing_groups
List sharing partners and sharing groups for controlled distribution.
misp_server_status / misp_delete_event
Version and diagnostics; delete an event (confirmation-gated).

Plus 3 resources (misp://types, misp://statistics, misp://taxonomies) and 3 prompts (investigate-ioc, create-incident-event, threat-report).

36
MCP tools
3
resources
3
prompts
MIT
license