How do I install MCP Server for TheHive?

Install MCP Server for TheHive with a single command: npx mdskills install gbrigandi/mcp-server-thehive. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support MCP Server for TheHive?

MCP Server for TheHive works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Gemini Cli, Amp, Roo Code, Goose. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to MCP servers

MCP Server for TheHive

Name: MCP Server for TheHive: AI Agent Skill
Rating: 8 (1 reviews)
Author: gbrigandi

Verified

MCP ServerIntermediate

An MCP (Model Context Protocol) server that provides AI models and automation tools with access to TheHive incident response platform. This server acts as a bridge between MCP clients (like AI assistants) and TheHive, allowing them to: - Retrieve and analyze security alerts - Access case information - Promote alerts to cases - Perform incident response operations 1. getthehivealerts - Retrieve a l

by @gbrigandi0Updated 1 weeks ago

Add this skill

npx mdskills install gbrigandi/mcp-server-thehive

Fork & Edit

Skill Advisor8.0

Well-documented MCP server enabling comprehensive security incident management through TheHive API integration

+Provides six well-defined tools for complete alert and case lifecycle management
+Includes clear configuration examples, environment setup, and integration instructions
+Features comprehensive testing suite with mock server for isolated validation
-Declares filesystem write and shell execution permissions that don't appear necessary for API operations

SKILL.md

Edit in Browser

1# MCP Server for TheHive
2 
3An MCP (Model Context Protocol) server that provides AI models and automation tools with access to TheHive incident response platform.
4 
5## Overview
6 
7This server acts as a bridge between MCP clients (like AI assistants) and TheHive, allowing them to:
8 
9- Retrieve and analyze security alerts
10- Access case information
11- Promote alerts to cases
12- Perform incident response operations
13 
14## Features
15 
16### Available Tools
17 
181. **get_thehive_alerts** - Retrieve a list of alerts from TheHive
19   - Optional `limit` parameter (default: 100)
20   - Returns formatted alert information including ID, title, severity, and status
21 
222. **get_thehive_alert_by_id** - Get detailed information about a specific alert
23   - Required `alert_id` parameter
24   - Returns comprehensive alert details
25 
263. **get_thehive_cases** - Retrieve a list of cases from TheHive
27   - Optional `limit` parameter (default: 100)
28   - Returns formatted case information
29 
304. **get_thehive_case_by_id** - Get detailed information about a specific case
31   - Required `case_id` parameter
32   - Returns comprehensive case details
33 
345. **promote_alert_to_case** - Promote an alert to a case
35   - Required `alert_id` parameter
36   - Returns information about the newly created case
37 
386. **create_thehive_case** - Create a new case in TheHive
39   - Required `title` and `description` parameters
40   - Optional parameters: `severity`, `tags`, `tlp`, `pap`, `status`, `assignee`, `case_template`, `start_date`
41   - Returns information about the newly created case
42 
43## Installation
44 
45### Prerequisites
46 
47- Access to a TheHive 5 instance
48- Valid TheHive API token
49 
50### Downloading Pre-compiled Binaries
51 
52You can download pre-compiled binaries for various operating systems from the [GitHub Releases page](https://github.com/gbrigandi/mcp-server-thehive/releases). Download the appropriate binary for your system, make it executable, and place it in your desired location.
53 
54### Building from Source
55 
56```bash
57git clone <repository-url>
58cd mcp-server-thehive
59cargo build --release
60```
61 
62## Configuration
63 
64The server requires the following environment variables:
65 
66- `THEHIVE_URL` - TheHive API base URL (default: `http://localhost:9000/api`)
67- `THEHIVE_API_TOKEN` - TheHive API token (required)
68- `VERIFY_SSL` - Whether to verify SSL certificates (default: `false`)
69- `RUST_LOG` - Logging level (optional, e.g., `debug`, `info`)
70 
71### Environment File
72 
73Create a `.env` file in the project root:
74 
75```env
76THEHIVE_URL=https://your-thehive-instance.com/api
77THEHIVE_API_TOKEN=your-api-token-here
78VERIFY_SSL=true
79RUST_LOG=info
80```
81 
82### Getting a TheHive API Token
83 
841. Log into your TheHive instance
852. Go to **User Settings** → **API Keys**
863. Click **Create API Key**
874. Copy the generated token and use it as `THEHIVE_API_TOKEN`
88 
89## Usage
90 
91### Running the Server
92 
93```bash
94# Using cargo
95cargo run
96 
97# Using the built binary
98./target/release/mcp-server-thehive
99```
100 
101### Integration with MCP Clients
102 
103The server communicates over stdio using the MCP protocol. Configure your MCP client to use this server:
104 
105```json
106{
107  "mcpServers": {
108    "thehive": {
109      "command": "/path/to/mcp-server-thehive",
110      "env": {
111        "THEHIVE_URL": "https://your-thehive-instance.com:9000/api",
112        "THEHIVE_API_TOKEN": "your-api-token-here"
113      }
114    }
115  }
116}
117```
118 
119## Examples
120 
121### Retrieving Recent Alerts
122 
123```json
124{
125  "method": "tools/call",
126  "params": {
127    "name": "get_thehive_alerts",
128    "arguments": {
129      "limit": 10
130    }
131  }
132}
133```
134 
135### Getting Alert Details
136 
137```json
138{
139  "method": "tools/call",
140  "params": {
141    "name": "get_thehive_alert_by_id",
142    "arguments": {
143      "alert_id": "~123456"
144    }
145  }
146}
147```
148 
149### Promoting an Alert to Case
150 
151```json
152{
153  "method": "tools/call",
154  "params": {
155    "name": "promote_alert_to_case",
156    "arguments": {
157      "alert_id": "~123456"
158    }
159  }
160}
161```
162 
163### Creating a New Case
164 
165```json
166{
167  "method": "tools/call",
168  "params": {
169    "name": "create_thehive_case",
170    "arguments": {
171      "title": "Potential Malware Outbreak",
172      "description": "Multiple endpoints reporting suspicious process activity.",
173      "severity": 3,
174      "tags": ["malware", "endpoint", "epp"],
175      "tlp": 2,
176      "assignee": "soc_level2"
177    }
178  }
179}
180```
181 
182## Development
183 
184### Project Structure
185 
186```
187mcp-server-thehive/
188├── src/
189│   ├── main.rs              # Main server implementation
190│   ├── lib.rs               # Library exports
191│   └── thehive/
192│       ├── mod.rs           # Module declarations
193│       ├── client.rs        # TheHive API client
194│       └── error.rs         # Error types
195├── tests/
196│   ├── bin/
197│   │   └── mock_thehive_server.rs # Mock TheHive API server for testing
198│   ├── integration_test.rs    # Integration tests
199│   └── mcp_stdio_test.rs      # Stdio interface tests
200├── Cargo.toml               # Dependencies and metadata
201└── README.md                # This file
202```
203 
204### Dependencies
205 
206- **rmcp** - MCP protocol implementation
207- **thehive-client** - TheHive API client library
208- **tokio** - Async runtime
209- **reqwest** - HTTP client
210- **serde** - Serialization framework
211- **tracing** - Logging and instrumentation
212 
213### Testing
214 
215The project includes a comprehensive suite of integration tests that leverage a mock TheHive server. This mock server simulates the TheHive API, allowing for isolated and repeatable testing of the MCP server's functionality without requiring a live TheHive instance.
216 
217**Running Tests:**
218 
219```bash
220# Run all tests (including integration tests that use the mock server)
221cargo test
222 
223# Run tests with verbose logging (includes MCP server and mock server logs)
224RUST_LOG=debug MCP_SERVER_THEHIVE_VERBOSE_TEST_LOGS=true cargo test
225```
226 
227## Security Considerations
228 
229- Store API tokens securely (use environment variables or secure credential stores)
230- Never commit API tokens to version control
231- Enable SSL verification in production environments
232- Limit network access to TheHive instance
233- Use least-privilege API tokens for TheHive access
234- Monitor and log all API interactions
235- Rotate API tokens regularly
236 
237## Troubleshooting
238 
239### Common Issues
240 
2411. **Connection Refused**
242   - Verify `THEHIVE_URL` is correct
243   - Check network connectivity to TheHive instance
244   - Ensure TheHive is running and accessible
245 
2462. **Authentication Failed**
247   - Verify `THEHIVE_API_TOKEN` is correct and not expired
248   - Check if the API token has necessary permissions
249   - Ensure the token is properly formatted
250 
2513. **SSL Certificate Errors**
252   - Set `VERIFY_SSL=false` for testing (not recommended for production)
253   - Install proper SSL certificates
254   - Use valid certificate authority
255 
256### Logging
257 
258Enable debug logging for troubleshooting:
259 
260```bash
261RUST_LOG=debug cargo run
262```
263 
264## Contributing
265 
2661. Fork the repository
2672. Create a feature branch
2683. Make your changes
2694. Add tests if applicable
2705. Submit a pull request
271 
272## License
273 
274This project is licensed under the MIT License - see the LICENSE file for details.
275 
276## Related Projects
277 
278- [thehive-client-rs](https://github.com/gbrigandi/thehive-client-rs) - Rust client library for TheHive API
279- [mcp-server-cortex](https://github.com/gbrigandi/mcp-server-cortex) - MCP server for Cortex
280- [mcp-server-wazuh](https://github.com/gbrigandi/mcp-server-wazuh) - MCP server for Wazuh SIEM
281

Full transparency — inspect the skill content before installing.