What do I need to connect to MISP?

Two environment values: MISP_URL pointing at your instance and MISP_API_KEY for an account with the right permissions. The skill reads both from your environment, so no credentials are hard-coded in the skill itself.

Can it write to MISP, or only read?

Both. It queries existing events and attributes, and it can add attributes, create new events, and upload STIX bundles back to your instance, which is why it is described as a two-way integration.

Does it work with any MISP instance?

It works with a standard MISP instance you control or have access to, whether self-hosted or run by a community you belong to, as long as you have a valid URL and API key with the necessary permissions.

CTI Skill · Lookups

MISP Lookup and Push.

/lookup-misp

The MISP API integration skill gives your AI coding agent two-way access to your MISP instance: query it for existing events and attributes on an indicator, and push new intelligence back as attributes, fresh events or uploaded STIX. It reads MISP_URL and MISP_API_KEY from your environment, so once those are set you can search and contribute to your sharing platform without leaving the agent.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

It connects to your MISP instance through the MISP API in both directions. On the read side, ask it whether an IP, domain, hash or other value already appears in your events and it returns the matching attributes and their context. On the write side, it can add attributes to an event, create a new event, or upload a STIX bundle, so findings you generate during an investigation go straight back into the shared record.

When to use it.

Query MISP early in triage to see whether your team has already seen an indicator and what context exists around it, which saves duplicate work. Use the push side at the end of an investigation to record new attributes or stand up an event for a fresh cluster of activity. It is the link between the lookup skills and your team's shared intelligence.

What you get back.

For queries, a summary of matching events and attributes with their tags, categories and any correlation MISP reports. For writes, confirmation of what was created or updated along with the relevant event identifiers. It relies on the MISP_URL and MISP_API_KEY values, and if either is missing the skill notes the gap and returns rather than failing mid-run.

How it fits your workflow.

MISP is where many teams keep their shared intelligence, so this skill closes the loop between solo analysis and the team record. Enrich an indicator with the other lookup skills, check it against MISP, then push the consolidated result back as structured attributes or a STIX bundle. The IOC enrichment workflow can correlate against MISP automatically as part of building an enrichment record.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.