An MCP (Model Context Protocol) server that provides AI models and automation tools with access to TheHive incident response platform.
This server acts as a bridge between MCP clients (like AI assistants) and TheHive, allowing them to:
- Retrieve and analyze security alerts
- Access case information
- Promote alerts to cases
- Perform incident response operations
-
get_thehive_alerts - Retrieve a list of alerts from TheHive
- Optional
limitparameter (default: 100) - Returns formatted alert information including ID, title, severity, and status
- Optional
-
get_thehive_alert_by_id - Get detailed information about a specific alert
- Required
alert_idparameter - Returns comprehensive alert details
- Required
-
get_thehive_cases - Retrieve a list of cases from TheHive
- Optional
limitparameter (default: 100) - Returns formatted case information
- Optional
-
get_thehive_case_by_id - Get detailed information about a specific case
- Required
case_idparameter - Returns comprehensive case details
- Required
-
promote_alert_to_case - Promote an alert to a case
- Required
alert_idparameter - Returns information about the newly created case
- Required
-
create_thehive_case - Create a new case in TheHive
- Required
titleanddescriptionparameters - Optional parameters:
severity,tags,tlp,pap,status,assignee,case_template,start_date - Returns information about the newly created case
- Required
- Access to a TheHive 5 instance
- Valid TheHive API token
You can download pre-compiled binaries for various operating systems from the GitHub Releases page. Download the appropriate binary for your system, make it executable, and place it in your desired location.
git clone <repository-url>
cd mcp-server-thehive
cargo build --releaseThe server requires the following environment variables:
THEHIVE_URL- TheHive API base URL (default:http://localhost:9000/api)THEHIVE_API_TOKEN- TheHive API token (required)VERIFY_SSL- Whether to verify SSL certificates (default:false)RUST_LOG- Logging level (optional, e.g.,debug,info)
Create a .env file in the project root:
THEHIVE_URL=https://your-thehive-instance.com/api
THEHIVE_API_TOKEN=your-api-token-here
VERIFY_SSL=true
RUST_LOG=info- Log into your TheHive instance
- Go to User Settings → API Keys
- Click Create API Key
- Copy the generated token and use it as
THEHIVE_API_TOKEN
# Using cargo
cargo run
# Using the built binary
./target/release/mcp-server-thehiveThe server communicates over stdio using the MCP protocol. Configure your MCP client to use this server:
{
"mcpServers": {
"thehive": {
"command": "/path/to/mcp-server-thehive",
"env": {
"THEHIVE_URL": "https://your-thehive-instance.com:9000/api",
"THEHIVE_API_TOKEN": "your-api-token-here"
}
}
}
}{
"method": "tools/call",
"params": {
"name": "get_thehive_alerts",
"arguments": {
"limit": 10
}
}
}{
"method": "tools/call",
"params": {
"name": "get_thehive_alert_by_id",
"arguments": {
"alert_id": "~123456"
}
}
}{
"method": "tools/call",
"params": {
"name": "promote_alert_to_case",
"arguments": {
"alert_id": "~123456"
}
}
}{
"method": "tools/call",
"params": {
"name": "create_thehive_case",
"arguments": {
"title": "Potential Malware Outbreak",
"description": "Multiple endpoints reporting suspicious process activity.",
"severity": 3,
"tags": ["malware", "endpoint", "epp"],
"tlp": 2,
"assignee": "soc_level2"
}
}
}mcp-server-thehive/
├── src/
│ ├── main.rs # Main server implementation
│ ├── lib.rs # Library exports
│ └── thehive/
│ ├── mod.rs # Module declarations
│ ├── client.rs # TheHive API client
│ └── error.rs # Error types
├── tests/
│ ├── bin/
│ │ └── mock_thehive_server.rs # Mock TheHive API server for testing
│ ├── integration_test.rs # Integration tests
│ └── mcp_stdio_test.rs # Stdio interface tests
├── Cargo.toml # Dependencies and metadata
└── README.md # This file
- rmcp - MCP protocol implementation
- thehive-client - TheHive API client library
- tokio - Async runtime
- reqwest - HTTP client
- serde - Serialization framework
- tracing - Logging and instrumentation
The project includes a comprehensive suite of integration tests that leverage a mock TheHive server. This mock server simulates the TheHive API, allowing for isolated and repeatable testing of the MCP server's functionality without requiring a live TheHive instance.
Running Tests:
# Run all tests (including integration tests that use the mock server)
cargo test
# Run tests with verbose logging (includes MCP server and mock server logs)
RUST_LOG=debug MCP_SERVER_THEHIVE_VERBOSE_TEST_LOGS=true cargo test- Store API tokens securely (use environment variables or secure credential stores)
- Never commit API tokens to version control
- Enable SSL verification in production environments
- Limit network access to TheHive instance
- Use least-privilege API tokens for TheHive access
- Monitor and log all API interactions
- Rotate API tokens regularly
-
Connection Refused
- Verify
THEHIVE_URLis correct - Check network connectivity to TheHive instance
- Ensure TheHive is running and accessible
- Verify
-
Authentication Failed
- Verify
THEHIVE_API_TOKENis correct and not expired - Check if the API token has necessary permissions
- Ensure the token is properly formatted
- Verify
-
SSL Certificate Errors
- Set
VERIFY_SSL=falsefor testing (not recommended for production) - Install proper SSL certificates
- Use valid certificate authority
- Set
Enable debug logging for troubleshooting:
RUST_LOG=debug cargo run- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
- thehive-client-rs - Rust client library for TheHive API
- mcp-server-cortex - MCP server for Cortex
- mcp-server-wazuh - MCP server for Wazuh SIEM