MISP MCP Server

How to use

Use an MCP client to interact with the MISP MCP Server and run the available tools to search, submit IoCs, and generate reports. You will typically authenticate by ensuring your MISP connection settings (URL, API key) are provided to the server via environment variables, then invoke the server’s tools through your MCP client. Common workflows include retrieving recent Mac malware samples, performing advanced searches by attribute type or tag, submitting new IoCs to MISP, and generating threat intelligence reports from the collected data.

Practical usage patterns you can follow: - Look up the latest Mac-related malware samples and other platform malware across Windows, macOS, Linux, Android, iOS, and IoT. - Perform targeted searches by attribute type, tag, threat actor, or TLP classification to refine results. - Submit new IoCs directly to your MISP instance from the MCP interface. - Generate comprehensive threat intelligence reports based on recent MISP data and include statistics when needed.

How to install

git clone https://github.com/bornpresident/misp-mcp-server.git
cd misp-mcp-server

python -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate
pip install "mcp[cli]" pymisp

Prerequisites you need before installing: - Python 3.10 or higher - Access to a MISP instance with an API key and permissions - Internet access to install Python packages from PyPI

If you are using Windows, activate the virtual environment with the Windows-specific command shown above and continue with the same installation steps. After installation, you can start using the MCP server once configuration is complete.

Configuration

Configure the connection to your MISP instance by setting these environment variables for the MCP server process: - MISP_URL: URL of your MISP instance (for example, https://misp.example.com) - MISP_API_KEY: Your MISP API key - MISP_VERIFY_SSL: True or False depending on whether to verify SSL certificates

Example values you can start with (placeholders you should replace with real data): - MISP_URL=https://your-misp-instance.com - MISP_API_KEY=your-api-key - MISP_VERIFY_SSL=True

Starting and testing

To run the server locally, start the script that implements the MCP server.

python misp_server.py

You can also test integration with the MCP Inspector tool to ensure the server is accessible and responding as expected.

mcp dev misp_server.py

Claude Desktop and MCP CLI configuration

If you use Claude Desktop, you can add the MISP MCP server configuration to your Claude Desktop configuration file. The example shows how to reference the local script with environment variables.

{
  "mcpServers": {
    "misp-intelligence": {
      "command": "python",
      "args": ["/path/to/misp_server.py"],
      "env": {
        "MISP_URL": "https://your-misp-instance.com",
        "MISP_API_KEY": "your-api-key",
        "MISP_VERIFY_SSL": "True"
      }
    }
  }
}

Using MCP CLI to install

Install the MCP server using the command line interface. This sets up your MISP MCP Server with the required environment variables.

mcp install misp_server.py --name "MISP Threat Intelligence" -v MISP_URL=https://your-misp-instance.com -v MISP_API_KEY=your-api-key

get_mac_malware

Retrieve the latest macOS malware samples within a specified time window.

get_platform_malware

Fetch recent malware samples for a specific platform (windows, macos, linux, android, ios, iot).

advanced_search

Perform advanced searches by attribute type, tag, threat actor, or tlp classification with optional platform filters and date range.

submit_ioc

Submit a new Indicator of Compromise to MISP with optional platform, TLP, and description.

generate_threat_report

Create a comprehensive threat intelligence report based on MISP data with optional date range and platform filters.

search_misp

Search MISP for threats using a general query term.

get_misp_stats

Retrieve statistics about the MISP instance.

feeds

Query information about recent MISP feeds.