Authenticate to your MISP instance by including your API key in the Authorization: YOUR_API_KEY header on all requests; obtain the key from Event Actions > Automation in the MISP UI.
Search for relevant events with POST https://{misp-host}/events/restSearch, supplying a JSON body with filters such as tags (e.g., tlp:white), type_attribute (e.g., ip-dst, domain, url), to_ids: true, and a limit parameter.
Extract attribute values from the returned events; each event contains an Attribute array with fields value, type, to_ids, and category — filter to to_ids: true for actionable indicators.
Alternatively, query attributes directly with POST /attributes/restSearch using the same filter parameters to receive a flat list of attributes without full event context, which is faster for large datasets.
Deduplicate and format extracted values into your blocklist format (firewall ACL, DNS RPZ zone, proxy blocklist); record the MISP event UUID and attribute UUID as provenance for each blocked indicator.
Known gotchas
MISP's restSearch pagination is controlled by a page parameter and a limit; omitting limit on large instances can trigger very slow queries or timeouts — always set a reasonable limit and paginate.
The to_ids flag is the MISP community convention for 'safe to use in automated blocking'; indicators with to_ids: false are informational only and should not be automatically blocked without analyst review.
MISP API responses default to XML in older versions; send Accept: application/json and Content-Type: application/json headers to ensure JSON responses.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp