MISP MCP Server
A Model Context Protocol (MCP) server for MISP — the Open Source Threat Intelligence Platform used by NATO, CERTs, and 6000+ organizations worldwide.
Connect your AI assistant to your MISP instance for threat intelligence search, IOC lookup, and event analysis through natural conversation.
Tools
| Tool | Description |
|---|---|
search_events |
Search events by keyword, tag, or date range |
get_event |
Get full event details including attributes and objects |
search_attributes |
Search IOCs by type, value, category, or tag |
get_statistics |
Instance statistics: events, attributes, orgs, tags |
submit_ioc |
Submit new IOC to an existing event |
recent_feeds |
List configured feeds and their status |
Quick Start
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
MISP_URL |
Yes | — | URL of your MISP instance |
MISP_API_KEY |
Yes | — | MISP automation API key |
MISP_VERIFY_SSL |
No | true |
Verify SSL certificates |
MCP_TRANSPORT |
No | stdio |
Transport: stdio or http |
MCP_HOST |
No | 0.0.0.0 |
Host to bind (http mode) |
MCP_PORT |
No | 8000 |
Port to bind (http mode) |
LOG_LEVEL |
No | INFO |
Logging level |
Docker
# Clone and run
git clone https://github.com/DarkAngel-agents/misp-mcp.git
cd misp-mcp
# Set your MISP credentials
export MISP_URL=https://your-misp-instance.com
export MISP_API_KEY=your-api-key
# Run with Docker Compose
docker compose up -d
The MCP endpoint will be available at http://localhost:8000/mcp.
Local (without Docker)
pip install -r requirements.txt
export MISP_URL=https://your-misp-instance.com
export MISP_API_KEY=your-api-key
# stdio mode (for Claude Desktop, Claude Code, etc.)
python server.py
# http mode (for remote access)
MCP_TRANSPORT=http python server.py
Claude Desktop
Add to your Claude Desktop config (~/.config/Claude/claude_desktop_config.json):
{
"mcpServers": {
"misp": {
"command": "python",
"args": ["/path/to/misp-mcp/server.py"],
"env": {
"MISP_URL": "https://your-misp-instance.com",
"MISP_API_KEY": "your-api-key"
}
}
}
}
Claude Code
claude mcp add misp -- python /path/to/misp-mcp/server.py
VS Code
Add to .vscode/mcp.json:
{
"servers": {
"misp": {
"url": "http://localhost:8000/mcp",
"type": "http"
}
}
}
Example Prompts
- "Search MISP for any events related to ransomware from the last month"
- "Look up this hash in MISP: abc123def456..."
- "Show me the details of MISP event 1234"
- "What are the statistics of our MISP instance?"
- "Submit this IP as an IOC to event 5678: 192.168.1.100"
- "List all configured MISP feeds"
Requirements
- Python 3.10+
- A running MISP instance with API access
- MISP automation API key (found in MISP → Administration → Auth Keys)
License
MIT
