misp-workbench¶
A modern MISP-compatible threat intelligence platform. It provides a self-contained solution for ingesting, correlating, and analysing threat intelligence data — without requiring a full MISP instance.
Features¶
| Feature | Description |
|---|---|
| Feed ingestion | Ingest MISP, CSV, JSON, and Freetext feeds on a schedule or on demand |
| Correlations | Batch and incremental correlation scans over indexed attributes |
| Explore | Lucene queries against OpenSearch for fast indicator lookups |
| Exports | File based exports in JSON, CSV, MISP or STIX 2.1 format |
| Enrichments | IOC enrichment powered by misp-modules |
| MCP Server | AI assistant integration via the Model Context Protocol — query threat intel from Claude, Cursor, etc. |
| Hunt | Hunts are saved searches that run periodically and trigger alerts. |
| Notifications | Event-driven notifications processed by Celery workers |
| Batch Import | Easily import a list of indicators and add them as attributes to an event in a single operation. |
| Retention | Configurable event retention period with automatic purge of expired events |
| Reactor Scripts | User-defined Python scripts that react to platform events and run in an isolated sandbox |
| Notebooks | Interactive analyst notebooks with a pre-imported SDK (mwlab) for ad-hoc exploration of events, attributes, correlations, and enrichments |
| OpenSearch | Full-text search, dashboards, and ingestion pipelines |
| REST API | FastAPI backend with automatic OpenAPI documentation |
| Storage | Garage (S3-compatible) or local filesystem for attachments |