Loading...
TheHive MCP server facilitates interaction with TheHive incident response platform, enabling AI models to retrieve alerts, cases, and perform incident management tasks.
Boost this tool
Subscribe to listing upgrades or segmented pushes.
TheHive MCP server facilitates interaction with TheHive incident response platform, enabling AI models to retrieve alerts, cases, and perform incident management tasks.
This server provides a mix of read and write operations on TheHive. It's relatively safe for read-only operations, but promoting alerts or creating cases introduces risk. Secure storage and management of the API token are crucial.
Performance depends on the size of TheHive instance and network latency. Optimize queries and limit the number of alerts/cases retrieved to minimize response times.
Cost depends on the usage of TheHive API. Monitor API usage to avoid exceeding rate limits or incurring unexpected costs.
{
"mcpServers": {
"thehive": {
"command": "/path/to/mcp-server-thehive",
"env": {
"THEHIVE_URL": "https://your-thehive-instance.com:9000/api",
"THEHIVE_API_TOKEN": "your-api-token-here"
}
}
}
}THEHIVE_URLTHEHIVE_API_TOKENVERIFY_SSLRUST_LOGMCP_SERVER_THEHIVE_VERBOSE_TEST_LOGSget_thehive_alertsRetrieves a list of alerts from TheHive.
Read-only operation, no data modification.
get_thehive_alert_by_idRetrieves detailed information about a specific alert.
Read-only operation, no data modification.
get_thehive_casesRetrieves a list of cases from TheHive.
Read-only operation, no data modification.
get_thehive_case_by_idRetrieves detailed information about a specific case.
Read-only operation, no data modification.
promote_alert_to_casePromotes an existing alert to a new case.
Creates a new case based on an alert, modifying data.
create_thehive_caseCreates a new case in TheHive.
Creates new data in TheHive.
API Key
local
This server provides a mix of read and write operations on TheHive. It's relatively safe for read-only operations, but promoting alerts or creating cases introduces risk. Secure storage and management of the API token are crucial.
The level of autonomy depends on the configuration of the MCP client and the permissions granted to the TheHive API token. Exercise caution when enabling automated case creation or modification.
Production Tip
Monitor the server's logs and TheHive's audit logs to detect any suspicious activity or errors.
The API token needs read permissions for alerts and cases. Write permissions are required for promoting alerts to cases and creating new cases.
Store the API token in a secure credential store or use environment variables with restricted access. Never commit the token to version control.
No, the server does not have built-in rate limiting. Implement rate limiting in the MCP client or TheHive instance if needed.
Set the `VERIFY_SSL` environment variable to `true` and ensure that the TheHive instance has a valid SSL certificate.
The server will return an error to the MCP client. Implement retry logic in the client to handle temporary connection issues.
No, the server does not provide tools for deleting cases or alerts.
Enable debug logging by setting the `RUST_LOG` environment variable to `debug`. Check the server's logs and TheHive's audit logs for error messages.