mcp -thehive
MCP Server for TheHive
claude mcp add --transport stdio gbrigandi-mcp-server-thehive /path/to/mcp-server-thehive \ --env RUST_LOG="Optional logging level, e.g., info or debug" \ --env VERIFY_SSL="true or false (default: false)" \ --env THEHIVE_URL="TheHive API base URL, e.g., https://your-thehive-instance.com/api" \ --env THEHIVE_API_TOKEN="Your TheHive API token"
How to use
This MCP server exposes a set of tools that interface with TheHive to assist with incident response and threat hunting. Clients can query alerts and cases, fetch detailed information, promote alerts into cases, and create new cases directly from MCP workflows. Each tool is exposed as a named action (e.g., get_thehive_alerts, get_thehive_alert_by_id, promote_alert_to_case, etc.) and can be invoked by an MCP client using the MCP stdio protocol. The server handles authentication against TheHive via API tokens, and returns structured data about alerts and cases for downstream automation or AI assistants.
To use the server, configure your MCP client to point at the server binary and supply the required environment variables for TheHive access. Typical usage involves calling tools/call with the tool name and any required arguments, then processing the returned data to drive automation or case management in your workflow.
How to install
Prerequisites
- A TheHive 5 instance and a valid API token
- Rust toolchain (rustc/cargo) installed on your machine
- Access to build or download the pre-built binary for mcp-server-thehive
Installation steps
- Install Rust and build from source (optional if you download a pre-built binary):
# Install Rust (if not already installed)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Clone the repository
git clone <repository-url>
cd mcp-server-thehive
# Build in release mode
cargo build --release
- Download and run the pre-built binary (if available):
# Example: download and set executable permissions, then run
# (Replace with actual release asset URL)
wget https://github.com/gbrigandi/mcp-server-thehive/releases/download/vX.Y.Z/mcp-server-thehive-linux
chmod +x mcp-server-thehive-linux
./mcp-server-thehive-linux
- Run directly via cargo (development):
cargo run
- Prepare configuration (see mcp_config section) and ensure environment variables are set before starting the server.
Additional notes
- TheHive_URL should point to your TheHive API base URL, typically something like https://thehive.example.com/api. Ensure network access from the MCP server to TheHive.
- THEHIVE_API_TOKEN must be a valid API token with appropriate permissions for alerts and cases access.
- VERIFY_SSL controls SSL certificate verification; disable only in non-production environments.
- The server communicates over stdio via the MCP protocol; ensure your MCP client is configured to use the specified server entry (e.g., thehive).
- When promoting an alert to a case or creating a new case, provide required parameters (alert_id for promote, title and description for create_thehive_case).
- Review logs (set RUST_LOG) for troubleshooting during integration and testing.
Related MCP Servers
goose
an open source, extensible AI agent that goes beyond code suggestions - install, execute, edit, and test with any LLM
cunzhi
告别AI提前终止烦恼,助力AI更加持久
probe
AI-friendly semantic code search engine for large codebases. Combines ripgrep speed with tree-sitter AST parsing. Powers AI coding assistants with precise, context-aware code understanding.
mcp-center
A centralized platform for managing and connecting MCP servers. MCP Center provides a high-performance proxy service that enables seamless communication between MCP clients and multiple MCP servers.
backlog -rust
MCP server for Backlog, project management service.
perplexity-web-api
🔍 Perplexity AI MCP without API key
