MISP Client
Rust client for the MISP threat intelligence platform API.
Usage
use misp_client::MispClientFactory;
let misp = MispClientFactory::builder()
.base_url("https://misp.local")
.api_key("your-api-key")
.verify_ssl(false)
.build();
let attrs = misp.attributes().search_by_value("8.8.8.8").await?;
let event = misp.events().get("123").await?;
let on_list = misp.warninglists().is_whitelisted("8.8.8.8").await?;
Clients
MispClientFactory provides access to:
events() for event queriesattributes() for IOC searchesgalaxies() for threat actors, MITRE ATT&CK, malwaresightings() for observation trackingwarninglists() for false positive checks
Example
IOC enrichment with context lookup, sighting history, and warninglist check:
use misp_client::MispClientFactory;
use std::env;
#[tokio::main]
async fn main() -> misp_client::Result<()> {
let misp = MispClientFactory::builder()
.base_url(env::var("MISP_URL").expect("MISP_URL required"))
.api_key(env::var("MISP_API_KEY").expect("MISP_API_KEY required"))
.verify_ssl(false)
.build();
let info = misp.test_connection().await?;
println!("MISP {}\n", info.version);
let ioc = "192.168.1.100";
println!("Lookup: {}", ioc);
let results = misp.attributes().search_by_value(ioc).await?;
if results.is_empty() {
println!(" no matches");
} else {
println!(" {} matches:", results.len());
for attr in &results {
println!(" Event #{}: {} ({})", attr.event_id, attr.value, attr.attr_type);
}
}
let count = misp.sightings().count_for_value(ioc).await?;
println!("\nSightings: {} total ({} pos, {} neg)",
count.total, count.positive, count.negative);
if misp.warninglists().is_whitelisted(ioc).await? {
println!("\nOn warninglist");
} else {
println!("\nNot on any warninglist");
}
Ok(())
}
Run with:
MISP_URL=https://misp.local MISP_API_KEY=xxx cargo run --example enrichment
See examples/ for more.
License
MIT
