{"id":49250481,"url":"https://github.com/solomonneas/misp-mcp","last_synced_at":"2026-05-23T21:01:48.695Z","repository":{"id":339103300,"uuid":"1151928436","full_name":"solomonneas/misp-mcp","owner":"solomonneas","description":"MCP server for MISP threat intelligence platform","archived":false,"fork":false,"pushed_at":"2026-04-30T01:19:40.000Z","size":198,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-30T03:35:42.454Z","etag":null,"topics":["ai-agents","cybersecurity","ioc","mcp","misp","model-context-protocol","sharing","threat-intelligence"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/solomonneas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"solomonneas","ko_fi":"solomonneas","buy_me_a_coffee":"solomonneas"}},"created_at":"2026-02-07T05:03:42.000Z","updated_at":"2026-04-29T20:15:39.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/solomonneas/misp-mcp","commit_stats":null,"previous_names":["solomonneas/misp-mcp"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/solomonneas/misp-mcp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fmisp-mcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fmisp-mcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fmisp-mcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fmisp-mcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/solomonneas","download_url":"https://codeload.github.com/solomonneas/misp-mcp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fmisp-mcp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33412082,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T18:09:33.147Z","status":"ssl_error","status_checked_at":"2026-05-23T18:09:31.380Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","cybersecurity","ioc","mcp","misp","model-context-protocol","sharing","threat-intelligence"],"created_at":"2026-04-25T00:02:58.465Z","updated_at":"2026-05-23T21:01:48.690Z","avatar_url":"https://github.com/solomonneas.png","language":"TypeScript","funding_links":["https://github.com/sponsors/solomonneas","https://ko-fi.com/solomonneas","https://buymeacoffee.com/solomonneas"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/assets/misp-mcp-banner.jpg\" alt=\"Watercolor threat intelligence correlation dossier for misp-mcp\" width=\"100%\" /\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003emisp-mcp\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.npmjs.com/package/misp-mcp\"\u003e\u003cimg src=\"https://img.shields.io/npm/v/misp-mcp?style=flat-square\u0026logo=npm\u0026color=cb3837\" alt=\"npm version\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/solomonneas/misp-mcp/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://img.shields.io/github/actions/workflow/status/solomonneas/misp-mcp/ci.yml?branch=main\u0026style=flat-square\u0026label=CI\u0026logo=github\" alt=\"CI status\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.typescriptlang.org/\"\u003e\u003cimg src=\"https://img.shields.io/badge/TypeScript-5.7-3178c6?style=flat-square\u0026logo=typescript\u0026logoColor=white\" alt=\"TypeScript 5.7\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://nodejs.org/\"\u003e\u003cimg src=\"https://img.shields.io/badge/Node.js-20%2B-339933?style=flat-square\u0026logo=node.js\u0026logoColor=white\" alt=\"Node.js 20+\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://modelcontextprotocol.io/\"\u003e\u003cimg src=\"https://img.shields.io/badge/MCP%20SDK-1.x-6f42c1?style=flat-square\" alt=\"MCP SDK 1.x\" /\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-yellow?style=flat-square\" alt=\"MIT license\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nAn MCP (Model Context Protocol) server for [MISP](https://www.misp-project.org/) (Malware Information Sharing Platform \u0026 Threat Intelligence Sharing). Enables LLMs to perform IOC lookups, manage events, discover correlations, and export threat intelligence directly from your MISP instance.\n\n## Features\n\n- **36 MCP Tools** covering events, attributes, correlations, tags, exports, sightings, warninglists, objects, galaxies, feeds, organisations, and server management\n- **3 MCP Resources** for browsing attribute types, instance statistics, and available taxonomies\n- **3 MCP Prompts** for guided IOC investigation, incident event creation, and threat reporting\n- **SSL Flexibility** for self-signed certificates common in MISP deployments\n- **Export Formats** including CSV, STIX, Suricata, Snort, text, RPZ, and hash lists\n- **MITRE ATT\u0026CK Integration** via galaxy cluster search and attachment\n- **Bulk Operations** for adding multiple IOCs to events in a single call\n- **Correlation Engine** for discovering cross-event relationships through shared indicators\n\n## Prerequisites\n\n- Node.js 20 or later\n- A running MISP instance with API access\n- MISP API key (generated from MISP UI: Administration \u003e List Auth Keys)\n\n## Installation\n\n```bash\ngit clone https://github.com/solomonneas/misp-mcp.git\ncd misp-mcp\nnpm install\nnpm run build\n```\n\n## Configuration\n\nSet the following environment variables:\n\n```bash\nexport MISP_URL=https://misp.example.com\nexport MISP_API_KEY=your-api-key-here\nexport MISP_VERIFY_SSL=true  # Set to 'false' for self-signed certificates\n```\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `MISP_URL` | Yes | - | MISP instance base URL |\n| `MISP_API_KEY` | Yes | - | API authentication key |\n| `MISP_VERIFY_SSL` | No | `true` | Set `false` for self-signed certs |\n| `MISP_TIMEOUT` | No | `30` | Request timeout in seconds |\n\n## Usage\n\n### Claude Desktop\n\nAdd to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\\Claude\\claude_desktop_config.json` (Windows):\n\n```json\n{\n  \"mcpServers\": {\n    \"misp\": {\n      \"command\": \"misp-mcp\",\n      \"env\": {\n        \"MISP_URL\": \"https://misp.example.com\",\n        \"MISP_API_KEY\": \"your-api-key-here\",\n        \"MISP_VERIFY_SSL\": \"false\"\n      }\n    }\n  }\n}\n```\n\n### Claude Code\n\n```bash\nclaude mcp add misp \\\n  --env MISP_URL=https://misp.example.com \\\n  --env MISP_API_KEY=your-api-key-here \\\n  --env MISP_VERIFY_SSL=false \\\n  -- misp-mcp\n```\n\nAdd `--scope user` to make it available from any directory instead of only the current project.\n\n### OpenClaw\n\nIf you're running from a source checkout instead of the npm-installed binary, point `command`/`args` at the built `dist/index.js`:\n\n```bash\nopenclaw mcp set misp '{\n  \"command\": \"node\",\n  \"args\": [\"/absolute/path/to/misp-mcp/dist/index.js\"],\n  \"env\": {\n    \"MISP_URL\": \"https://misp.example.com\",\n    \"MISP_API_KEY\": \"your-api-key-here\",\n    \"MISP_VERIFY_SSL\": \"false\"\n  }\n}'\n```\n\nOr, with the global npm install:\n\n```bash\nopenclaw mcp set misp '{\n  \"command\": \"misp-mcp\",\n  \"env\": {\n    \"MISP_URL\": \"https://misp.example.com\",\n    \"MISP_API_KEY\": \"your-api-key-here\",\n    \"MISP_VERIFY_SSL\": \"false\"\n  }\n}'\n```\n\nThen restart the OpenClaw gateway so the new server is picked up:\n\n```bash\nsystemctl --user restart openclaw-gateway\nopenclaw mcp list   # confirm \"misp\" is registered\n```\n\n### Hermes Agent\n\n[Hermes Agent](https://github.com/NousResearch/hermes-agent) reads MCP config from `~/.hermes/config.yaml` under the `mcp_servers` key. Add an entry:\n\n```yaml\nmcp_servers:\n  misp:\n    command: \"misp-mcp\"\n    env:\n      MISP_URL: \"https://misp.example.com\"\n      MISP_API_KEY: \"your-api-key-here\"\n      MISP_VERIFY_SSL: \"false\"\n```\n\nOr, when running from a source checkout instead of the global npm install:\n\n```yaml\nmcp_servers:\n  misp:\n    command: \"node\"\n    args: [\"/absolute/path/to/misp-mcp/dist/index.js\"]\n    env:\n      MISP_URL: \"https://misp.example.com\"\n      MISP_API_KEY: \"your-api-key-here\"\n      MISP_VERIFY_SSL: \"false\"\n```\n\nThen reload MCP from inside a Hermes session:\n\n```\n/reload-mcp\n```\n\n### Codex CLI\n\n[Codex CLI](https://github.com/openai/codex) registers MCP servers via `codex mcp add`:\n\n```bash\ncodex mcp add misp \\\n  --env MISP_URL=https://misp.example.com \\\n  --env MISP_API_KEY=your-api-key-here \\\n  --env MISP_VERIFY_SSL=false \\\n  -- misp-mcp\n```\n\nOr, when running from a source checkout:\n\n```bash\ncodex mcp add misp \\\n  --env MISP_URL=https://misp.example.com \\\n  --env MISP_API_KEY=your-api-key-here \\\n  --env MISP_VERIFY_SSL=false \\\n  -- node /absolute/path/to/misp-mcp/dist/index.js\n```\n\nCodex writes the entry to `~/.codex/config.toml` under `[mcp_servers.misp]`. Verify with:\n\n```bash\ncodex mcp list\n```\n\n### Standalone\n\n```bash\nMISP_URL=https://misp.example.com MISP_API_KEY=your-key node dist/index.js\n```\n\n### Docker\n\n```bash\ndocker build -t misp-mcp .\ndocker run -e MISP_URL=https://misp.example.com -e MISP_API_KEY=your-key -e MISP_VERIFY_SSL=false misp-mcp\n```\n\n### Development\n\n```bash\nMISP_URL=https://misp.example.com MISP_API_KEY=your-key npm run dev\n```\n\n## Tools Reference\n\n### Event Tools (6)\n\n| Tool | Description |\n|------|-------------|\n| `misp_search_events` | Search events by IOC value, type, tags, date range, organization |\n| `misp_get_event` | Get full event details including attributes, objects, galaxies, related events |\n| `misp_create_event` | Create a new event with threat level, distribution, and analysis status |\n| `misp_update_event` | Update event metadata (info, threat level, analysis, publish state) |\n| `misp_publish_event` | Publish an event to trigger alerts to sharing partners |\n| `misp_tag_event` | Add or remove tags (TLP, MITRE ATT\u0026CK, custom) from an event |\n\n### Attribute Tools (4)\n\n| Tool | Description |\n|------|-------------|\n| `misp_search_attributes` | Search IOCs across all events with type, category, and correlation filters |\n| `misp_add_attribute` | Add a single IOC to an event |\n| `misp_add_attributes_bulk` | Add multiple IOCs to an event in one operation |\n| `misp_delete_attribute` | Soft or hard delete an attribute |\n\n### Correlation \u0026 Intelligence Tools (3)\n\n| Tool | Description |\n|------|-------------|\n| `misp_correlate` | Find all events and attributes matching a value, with cross-event correlations |\n| `misp_get_related_events` | Discover events related through shared IOCs |\n| `misp_describe_types` | Get all available attribute types and category mappings |\n\n### Tag \u0026 Taxonomy Tools (2)\n\n| Tool | Description |\n|------|-------------|\n| `misp_list_tags` | List available tags with usage statistics |\n| `misp_search_by_tag` | Find events or attributes by tag |\n\n### Export Tools (2)\n\n| Tool | Description |\n|------|-------------|\n| `misp_export_iocs` | Export IOCs in CSV, STIX, Suricata, Snort, text, or RPZ format |\n| `misp_export_hashes` | Export file hashes (MD5, SHA1, SHA256) for HIDS integration |\n\n### Sighting \u0026 Warninglist Tools (2)\n\n| Tool | Description |\n|------|-------------|\n| `misp_add_sighting` | Report a sighting, false positive, or expiration for an IOC |\n| `misp_check_warninglists` | Check if a value appears on known benign/false positive lists |\n\n### Object Tools (4)\n\n| Tool | Description |\n|------|-------------|\n| `misp_list_object_templates` | List available MISP object templates (file, domain-ip, email, etc.) |\n| `misp_get_object_template` | Get template details with required/optional attributes |\n| `misp_add_object` | Add a structured object (grouped attributes) to an event |\n| `misp_delete_object` | Delete an object from an event |\n\n### Galaxy Tools (4)\n\n| Tool | Description |\n|------|-------------|\n| `misp_list_galaxies` | List galaxies (MITRE ATT\u0026CK, threat actors, malware, tools, etc.) |\n| `misp_get_galaxy` | Get galaxy details with all clusters |\n| `misp_search_galaxy_clusters` | Search clusters by keyword (find ATT\u0026CK techniques, threat actors) |\n| `misp_attach_galaxy_cluster` | Attach a cluster (ATT\u0026CK technique, etc.) to an event or attribute |\n\n### Feed Tools (4)\n\n| Tool | Description |\n|------|-------------|\n| `misp_list_feeds` | List configured threat intel feeds |\n| `misp_toggle_feed` | Enable or disable a feed |\n| `misp_fetch_feed` | Trigger a fetch/pull from a feed |\n| `misp_cache_feed` | Cache feed data locally for correlation |\n\n### Organisation Tools (2)\n\n| Tool | Description |\n|------|-------------|\n| `misp_list_organisations` | List local and remote sharing partner organisations |\n| `misp_get_organisation` | Get organisation details |\n\n### Server \u0026 Admin Tools (3)\n\n| Tool | Description |\n|------|-------------|\n| `misp_server_status` | Get MISP version, permissions, and diagnostics |\n| `misp_list_sharing_groups` | List sharing groups for controlled distribution |\n| `misp_delete_event` | Delete a MISP event |\n\n## Resources\n\n| Resource URI | Description |\n|-------------|-------------|\n| `misp://types` | All supported attribute types, categories, and their mappings |\n| `misp://statistics` | MISP instance statistics |\n| `misp://taxonomies` | Available taxonomies (TLP, MITRE ATT\u0026CK, etc.) |\n\n## Prompts\n\n| Prompt | Description |\n|--------|-------------|\n| `investigate-ioc` | Deep IOC investigation: search, correlate, check warninglists, summarize threat context |\n| `create-incident-event` | Guided event creation from an incident description with IOC ingestion |\n| `threat-report` | Generate a threat intelligence report from MISP data |\n\n## Usage Examples\n\n### Search for an IOC\n\n\u003e \"Search MISP for the IP address 203.0.113.50\"\n\nUses `misp_search_events` and `misp_search_attributes` to find all events and attributes referencing this IP.\n\n### Investigate a suspicious domain\n\n\u003e \"Investigate evil-domain.com in MISP\"\n\nTriggers the `investigate-ioc` prompt workflow: searches for the domain, checks correlations, queries warninglists, and provides a structured threat assessment.\n\n### Create an incident event\n\n\u003c!-- content-guard: allow email --\u003e\n\u003e \"Create a MISP event for a phishing campaign targeting our finance team. The phishing emails came from attacker@evil.com and linked to https://evil-login.com/harvest\"\n\nUses `misp_create_event` followed by `misp_add_attributes_bulk` to create a fully populated event.\n\n### Export Suricata rules\n\n\u003e \"Export all IOCs from the last 7 days as Suricata rules\"\n\nUses `misp_export_iocs` with format \"suricata\" and last \"7d\".\n\n### Check for false positives\n\n\u003e \"Is 8.8.8.8 on any MISP warninglists?\"\n\nUses `misp_check_warninglists` to verify if the value is a known benign indicator.\n\n### Find MITRE ATT\u0026CK techniques\n\n\u003e \"Search for phishing techniques in MITRE ATT\u0026CK\"\n\nUses `misp_search_galaxy_clusters` to find relevant ATT\u0026CK techniques, then `misp_attach_galaxy_cluster` to link them to events.\n\n### Add structured objects\n\n\u003e \"Add a file object to event 1 with filename encrypt.exe, SHA256 hash, and file size\"\n\nUses `misp_add_object` with the \"file\" template to create a structured group of related attributes.\n\n## Supported Attribute Types\n\n| Type | Category | Example |\n|------|----------|---------|\n| `ip-src` | Network activity | Source IP address |\n| `ip-dst` | Network activity | Destination IP address |\n| `domain` | Network activity | Domain name |\n| `hostname` | Network activity | Hostname |\n| `url` | Network activity | Full URL |\n| `email-src` | Payload delivery | Sender email address |\n| `md5` | Payload delivery | MD5 file hash |\n| `sha1` | Payload delivery | SHA1 file hash |\n| `sha256` | Payload delivery | SHA256 file hash |\n| `filename` | Payload delivery | File name |\n\nUse `misp_describe_types` for the complete list of supported types and categories.\n\n## Testing\n\n```bash\nnpm test                # Unit tests (55 tests, mocked)\nnpm run test:integration  # Integration tests against live MISP (27 tests)\nnpm run test:watch      # Watch mode\nnpm run lint            # Type check\n```\n\nIntegration tests require `MISP_URL`, `MISP_API_KEY`, and optionally `MISP_VERIFY_SSL=false` environment variables.\n\n## Project Structure\n\n```\nmisp-mcp/\n  src/\n    index.ts              # MCP server entry point\n    config.ts             # Environment config + validation\n    client.ts             # MISP REST API client\n    types.ts              # MISP API type definitions\n    resources.ts          # MCP resources\n    prompts.ts            # MCP prompts\n    tools/\n      events.ts           # Event CRUD tools\n      attributes.ts       # Attribute management tools\n      correlation.ts      # Correlation \u0026 intelligence tools\n      tags.ts             # Tag and taxonomy tools\n      exports.ts          # Export format tools\n      sightings.ts        # Sighting tools\n      warninglists.ts     # Warninglist checks\n      objects.ts          # Object template \u0026 CRUD tools\n      galaxies.ts         # Galaxy \u0026 cluster tools (MITRE ATT\u0026CK)\n      feeds.ts            # Feed management tools\n      organisations.ts    # Organisation management tools\n      servers.ts          # Server admin \u0026 sharing group tools\n  tests/\n    client.test.ts        # API client unit tests\n    tools.test.ts         # Tool handler unit tests\n    integration.test.ts   # Live MISP API integration tests\n  Dockerfile\n  package.json\n  tsconfig.json\n  tsup.config.ts\n  vitest.config.ts\n  vitest.integration.config.ts\n  README.md\n```\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolomonneas%2Fmisp-mcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsolomonneas%2Fmisp-mcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolomonneas%2Fmisp-mcp/lists"}