FlowRunner
Pricing
Theme

Connect AI agents to MISP, the open-source threat intelligence platform. Agents create and manage threat events, attach and search indicators of compromise, apply TLP tags, publish to communities, and record sightings.

16 actions available
An upstream scan or alert flags a malicious indicator
Search Attributes checks whether the indicator is already known
Add Event creates an unpublished threat event for the new indicator
Add Attribute attaches the IP, domain, hash, or URL as an IOC
Agent applies a TLP tag to classify the event's sharing level
The security team receives the event summary and threat level
An analyst confirms the event before Publish Event shares it

What This Integration Enables

Agents automatically create a MISP event and attach IOCs (IPs, domains, hashes, URLs) whenever a new threat is detected upstream, enrich or hunt across the instance by searching events and attributes for a specific indicator value, classify and share events by applying TLP or other tags and then publishing to a community, record sightings when an indicator is observed to track its prevalence, and keep an external system in sync by listing and retrieving events on a schedule. Events group related indicators and carry a distribution level, threat level, and analysis stage; attributes are the individual IOCs; tags classify events for filtering and sharing; and sightings record observations. Friendly dropdown labels map to the integers MISP expects for distribution, threat level, and analysis. The connector covers the event, attribute, tag, and sighting surface; the surrounding flow decides which ingestion runs automatically and where an analyst confirms before an event is published or drives a response.

Without FlowRunner

Manual IOC entry Indicators are typed into MISP by hand after a detection, and some never make it in
Duplicate events The same indicator gets recorded twice because nobody checked whether it was known
Publish without review Events are shared to a community without a clear confirmation step

With FlowRunner

Automated ingestion Add Event and Add Attribute record new indicators as a flow step, deduplicated first
Known-indicator checks Search Attributes confirms whether an indicator already exists before creating an event
Analyst-gated publish Events are assembled and tagged automatically, then published only on confirmation

Use Case Scenarios

Scan verdict to threat event

When a [urlscan.io](/integrations/urlscan) scan flags a malicious URL, the agent first calls Search Attributes to check whether the indicator is already tracked. If it is new, the agent calls Add Event to create an unpublished threat event, then Add Attribute to record the URL and related IOCs. The indicator lands in the intel record automatically, deduplicated, without an analyst retyping it.

Known-indicator triage

When an observed indicator arrives, the agent calls Search Attributes to check whether MISP already knows it. If the indicator is unknown, the agent promotes it into [TheHive](/integrations/thehive) as an alert for analyst triage. The team distinguishes new threats from ones already under management without a manual cross-reference.

Publish notification

When an event is published, the agent reads its summary and threat level and posts them to the security team's channel with [Slack](/integrations/slack). The team learns what was shared to the community, and the threat level, without watching the MISP feed directly.

Human-in-Loop Highlight

Publishing an event is the moment to stop and ask, because publishing shares intelligence beyond your organization according to its distribution level, and a mis-tagged or premature publish is hard to walk back. The agent does the assembly on its own: it deduplicates against known attributes, creates the unpublished event, attaches the IOCs, and applies a provisional TLP tag. Before it calls Publish Event, it pauses and asks the analyst through Slack: "Event [name] holds [count] IOCs at threat level [level], tagged [TLP]. Publish to [community], adjust the distribution, or keep it unpublished?" The analyst decides. The agent records the intelligence; the person owns the decision to share it.

Agent processes routinely
Detects exception requiring judgment
Clear match Continues automatically
Ambiguous Routes to human via Slack
Human decides
Agent resumes with decision

Agent Capabilities

16 actions

Events

7
  • Add Event Creates a new threat event, unpublished until published.
  • Get Event Retrieves a threat event and its attributes.
  • Update Event Updates an existing threat event.
  • Publish Event Publishes an event to share it with your community. Typically human-gated.
  • Search Events Searches events via the MISP restSearch API.
  • List Events Lists events on the instance for sync or reporting.
  • Delete Event Deletes a threat event.

Attributes

5
  • Add Attribute Attaches an IOC (IP, domain, hash, URL) to an event as an attribute.
  • Search Attributes Searches attributes to check whether an indicator is already known. Powers deduplication and hunting.
  • Edit Attribute Edits an existing attribute.
  • Get Attribute Retrieves a single attribute.
  • Delete Attribute Deletes an attribute from an event.

Tags and Sightings

4
  • Add Tag to Event Applies a tag, such as a TLP label, to an event for filtering and sharing.
  • Remove Tag from Event Removes a tag from an event.
  • List Tags Lists the tags defined on the instance.
  • Add Sighting Records that an indicator was observed in your environment to track its prevalence.

Start building with MISP

$100 in credits. No card required. Connect in minutes.