mcp-server-misp by gbrigandi - MCP Server

MCP Server for MISP

An MCP (Model Context Protocol) server that provides access to MISP threat intelligence platform.

Overview

This server bridges MCP clients and MISP, enabling:

IOC lookups and enrichment
Threat actor intelligence
Event context retrieval
Warninglist validation
Tag and galaxy exploration

Tools

Tool	Description
`search_misp_ioc`	Search for an IOC (IP, domain, hash, URL, email)
`get_misp_event_context`	Get full event details including tags and galaxies
`check_misp_warninglist`	Check if a value is on warninglists (false positive detection)
`get_misp_sightings`	Get sighting history for an IOC
`get_misp_iocs_by_type`	Extract IOCs by attribute type (ip-dst, domain, sha256, etc.)
`search_misp_by_tag`	Search attributes by tag (tlp:red, malware:emotet, etc.)
`get_misp_recent_iocs`	Get IOCs added within a time window
`get_misp_threat_actor_iocs`	Get IOCs attributed to a threat actor
`list_misp_galaxies`	List available MISP galaxies

Installation

Pre-compiled Binaries

Download from GitHub Releases.

Building from Source

git clone https://github.com/gbrigandi/mcp-server-misp
cd mcp-server-misp
cargo build --release

For HTTP transport support:

cargo build --release --features http

Configuration

Environment variables:

Variable	Description	Default
`MISP_URL`	MISP API base URL	required
`MISP_API_KEY`	MISP API key	required
`MISP_VERIFY_SSL`	Verify SSL certificates	`true`
`RUST_LOG`	Logging level	`info`

Example .env:

MISP_URL=https://misp.example.com
MISP_API_KEY=your-api-key
MISP_VERIFY_SSL=true

Usage

stdio transport (default)

./mcp-server-misp

HTTP transport

./mcp-server-misp --transport http --host 127.0.0.1 --port 8080

MCP Client Configuration

{
  "mcpServers": {
    "misp": {
      "command": "/path/to/mcp-server-misp",
      "env": {
        "MISP_URL": "https://misp.example.com",
        "MISP_API_KEY": "your-api-key"
      }
    }
  }
}

Testing

cargo test
cargo test --features http --test mcp_http_test

License

MIT