MCP Server for MISP
December 6, 2025 ยท View on GitHub
An MCP (Model Context Protocol) server that provides access to MISP threat intelligence platform.
Overview
This server bridges MCP clients and MISP, enabling:
- IOC lookups and enrichment
- Threat actor intelligence
- Event context retrieval
- Warninglist validation
- Tag and galaxy exploration
Tools
| Tool | Description |
|---|---|
search_misp_ioc | Search for an IOC (IP, domain, hash, URL, email) |
get_misp_event_context | Get full event details including tags and galaxies |
check_misp_warninglist | Check if a value is on warninglists (false positive detection) |
get_misp_sightings | Get sighting history for an IOC |
get_misp_iocs_by_type | Extract IOCs by attribute type (ip-dst, domain, sha256, etc.) |
search_misp_by_tag | Search attributes by tag (tlp:red, malware:emotet, etc.) |
get_misp_recent_iocs | Get IOCs added within a time window |
get_misp_threat_actor_iocs | Get IOCs attributed to a threat actor |
list_misp_galaxies | List available MISP galaxies |
Installation
Pre-compiled Binaries
Download from GitHub Releases.
Building from Source
git clone https://github.com/gbrigandi/mcp-server-misp
cd mcp-server-misp
cargo build --release
For HTTP transport support:
cargo build --release --features http
Configuration
Environment variables:
| Variable | Description | Default |
|---|---|---|
MISP_URL | MISP API base URL | required |
MISP_API_KEY | MISP API key | required |
MISP_VERIFY_SSL | Verify SSL certificates | true |
RUST_LOG | Logging level | info |
Example .env:
MISP_URL=https://misp.example.com
MISP_API_KEY=your-api-key
MISP_VERIFY_SSL=true
Usage
stdio transport (default)
./mcp-server-misp
HTTP transport
./mcp-server-misp --transport http --host 127.0.0.1 --port 8080
MCP Client Configuration
{
"mcpServers": {
"misp": {
"command": "/path/to/mcp-server-misp",
"env": {
"MISP_URL": "https://misp.example.com",
"MISP_API_KEY": "your-api-key"
}
}
}
}
Testing
cargo test
cargo test --features http --test mcp_http_test
License
MIT