A Python-based Multi-Cloud Platform (MCP) tool for managing multiple MISP (Malware Information Sharing Platform) instances, with support for integration in Cursor/Claude and Jan.

Manage and query multiple MISP instances from a single interface. Configure as many instances as you need in your misp_instances.json file, and seamlessly switch or aggregate queries across all of them. This is ideal for organizations with several MISP deployments or for analysts working with both internal and external threat intelligence sources.

How it works:

• Define all your MISP instances in misp_instances.json (see Setup below).
• The tool will automatically detect and allow you to select or query across any configured instance.
• Many commands (such as event/attribute search) can be run against all instances in parallel, making cross-instance analysis easy and efficient.

Easily manage your MISP environment directly from the tool. Supported features include:

• Add Users: Create new users in any connected MISP instance for onboarding, automation, or delegation.
• Edit Users: Update user details, roles, or permissions as needed.
• Delete Users: Remove users from a MISP instance to maintain security and proper access control.
• Add Organizations: Register new organizations to expand your sharing network or structure your instance.
• Edit Organizations: Update organization details, such as name, description, or type.
• Delete Organizations: Remove organizations that are no longer needed.
• List Users: Retrieve and review all users in a MISP instance, including their roles, organizations, and status.
• List Organizations: Retrieve and review all organizations in a MISP instance, including user counts and creation details.
• List Authentication Keys: List all API keys for all users, audit usage, check for expired or unused keys, and review allowed IPs. For security, only the first and last 4 characters of each key are shown. The listing includes information such as user, key start/end, allowed IPs, read-only status, last used time, expiration, and comments.
• Check for Expired/Unused Auth Keys: Audit authentication keys to identify those that are expired or have not been used recently.
• Review Key Restrictions: See which API keys are restricted by IP or have other security controls in place.

You can filter by user, check for expired or unused keys, and review key restrictions for security audits.

• Python 3.x (Python 3.8 or higher recommended)
• pip3 (Python package installer)

1. Clone or download this repository to your local machine
2. Navigate to the project directory:

   cd /path/to/misp-mcp

3. Install the required Python packages:

   pip3 install -r requirements.txt

This will install the following dependencies:

• requests>=2.31.0 - HTTP library for API calls
• fastmcp>=0.1.0 - FastMCP framework for MCP server implementation
• pymisp>=2.4.172 - Python library for MISP API integration

1. Copy the example configuration file:

   cp misp_instances.json.example misp_instances.json

2. Edit misp_instances.json and fill in your MISP instance details:

   {
     "instances": [
       {
         "name": "default",
         "url": "https://your.misp.instance/",
         "api_key": "your_api_key",
         "ssl_skip_verify": false
       },
       {
         "name": "testing",
         "url": "https://testing.misp.instance/",
         "api_key": "your_testing_api_key",
         "ssl_skip_verify": false
       }
       // ... add more instances as needed
     ]
   }

3. Move the configuration file to your home directory:

   mv misp_instances.json $HOME/.misp_instances.json

Note: The configuration file must be named .misp_instances.json and placed in your home directory for the tool to find it.

Before configuring the tool in Cursor or Jan, you can test that everything is working correctly:

1. Make sure you have completed the installation and configuration steps above

2. Test the basic functionality:

   python3 misp_fastmcp.py

   If the installation is correct, the script should start and wait for MCP client connections.

1. Open Cursor and go to the MCP tool configuration.

2. Add a new MCP tool using the following config (see cursor_mcp_config.json for reference):

   {
     "mcpServers": {
       "misp": {
         "command": "python3",
         "args": ["<change path>/misp_fastmcp.py"],
         "env": {
           "cwd": "<change path>"
         },
         "enabled": true
       }
     }
   }

   • Replace <change path> with the actual path to your script and working directory.

3. Enable the tool and restart Cursor if needed.

4. You can now use the MISP MCP tool from within Cursor/Claude.

1. Open Jan and go to Settings > Experimental Features.

2. Enable:

   • "Enable experimental features"
   • "Allow automatic requests for MCP"

3. Go to Settings > MCP Tools (or similar, depending on Jan version).

4. Add a new MCP tool using the following config (see jan_mcp_config.json for reference):

   {
     "command": "/usr/bin/python3",
     "args": ["<change path>/misp_fastmcp.py"],
     "env": {
       "cwd": "<change path>"
     },
     "active": true
   }

   • Replace <change path> with the actual path to your script and working directory.

5. Save and enable the tool.

Note: Jan's MCP integration may be slow unless a GPU is present.

• Get all instances in Jan:
  

• Get all instances (Cursor/Claude):
  

• Get users from default instance:
  

• Adding an event:
  

Important Note:

Many MISP API endpoints (at the time of writing) do not support server-side pagination. This means that for endpoints such as tag listing, galaxy listing, and others, the server returns all data in a single response. Due to timeout and memory limitations, it is not possible for the AI client to reliably process these large responses, even when attempting client-side code chunking or chunked parsing.

While it is technically possible to implement workarounds (such as splitting the data after retrieval), these are inefficient and may still fail for very large datasets. The preferred solution is for MISP to implement native pagination for these endpoints, which would avoid this overhead and make large data handling robust.

Event and attribute search endpoints (/events/restSearch, /attributes/restSearch) do support pagination natively in MISP. There should be no issues when using these features, and they are recommended for any use case involving large result sets.

1. "Module not found" errors when running the script:

• Make sure you've installed the dependencies: pip3 install -r requirements.txt
• Verify you're using Python 3.x: python3 --version

2. "Configuration file not found" errors:

• Ensure the configuration file is named exactly .misp_instances.json
• Make sure it's placed in your home directory: $HOME/.misp_instances.json
• Check file permissions: ls -la $HOME/.misp_instances.json

3. "Connection refused" or "SSL certificate" errors:

• Verify your MISP instance URL is correct and accessible
• Check if ssl_skip_verify should be set to true for self-signed certificates
• Ensure your API key is valid and has the necessary permissions

4. MCP tool not appearing in Cursor/Jan:

• Verify the path in your MCP configuration is correct and absolute
• Make sure the misp_fastmcp.py file is executable: chmod +x misp_fastmcp.py
• Restart Cursor/Jan after adding the MCP configuration

For usage examples, troubleshooting, or more details, see the code or contact the maintainer.