TheHive MCP Server

TheHive MCP Server

TheHive MCP Server

Category
Visit Server

README

MCP Server for TheHive

An MCP (Model Context Protocol) server that provides AI models and automation tools with access to TheHive incident response platform.

Overview

This server acts as a bridge between MCP clients (like AI assistants) and TheHive, allowing them to:

  • Retrieve and analyze security alerts
  • Access case information
  • Promote alerts to cases
  • Perform incident response operations

Features

Available Tools

  1. get_thehive_alerts - Retrieve a list of alerts from TheHive

    • Optional limit parameter (default: 100)
    • Returns formatted alert information including ID, title, severity, and status

  2. get_thehive_alert_by_id - Get detailed information about a specific alert

    • Required alert_id parameter
    • Returns comprehensive alert details

  3. get_thehive_cases - Retrieve a list of cases from TheHive

    • Optional limit parameter (default: 100)
    • Returns formatted case information

  4. get_thehive_case_by_id - Get detailed information about a specific case

    • Required case_id parameter
    • Returns comprehensive case details

  5. promote_alert_to_case - Promote an alert to a case

    • Required alert_id parameter
    • Returns information about the newly created case

  6. create_thehive_case - Create a new case in TheHive

    • Required title and description parameters
    • Optional parameters: severity, tags, tlp, pap, status, assignee, case_template, start_date
    • Returns information about the newly created case

Installation

Prerequisites

  • Access to a TheHive 5 instance
  • Valid TheHive API token

Downloading Pre-compiled Binaries

You can download pre-compiled binaries for various operating systems from the GitHub Releases page. Download the appropriate binary for your system, make it executable, and place it in your desired location.

Building from Source

git clone <repository-url>
cd mcp-server-thehive
cargo build --release

Configuration

The server requires the following environment variables:

  • THEHIVE_URL - TheHive API base URL (default: http://localhost:9000/api)
  • THEHIVE_API_TOKEN - TheHive API token (required)
  • VERIFY_SSL - Whether to verify SSL certificates (default: false)
  • RUST_LOG - Logging level (optional, e.g., debug, info)

Environment File

Create a .env file in the project root:

THEHIVE_URL=https://your-thehive-instance.com/api
THEHIVE_API_TOKEN=your-api-token-here
VERIFY_SSL=true
RUST_LOG=info

Getting a TheHive API Token

  1. Log into your TheHive instance
  2. Go to User SettingsAPI Keys
  3. Click Create API Key
  4. Copy the generated token and use it as THEHIVE_API_TOKEN

Usage

Running the Server

# Using cargo
cargo run

# Using the built binary
./target/release/mcp-server-thehive

Integration with MCP Clients

The server communicates over stdio using the MCP protocol. Configure your MCP client to use this server:

{
  "mcpServers": {
    "thehive": {
      "command": "/path/to/mcp-server-thehive",
      "env": {
        "THEHIVE_URL": "https://your-thehive-instance.com:9000/api",
        "THEHIVE_API_TOKEN": "your-api-token-here"
      }
    }
  }
}

Examples

Retrieving Recent Alerts

{
  "method": "tools/call",
  "params": {
    "name": "get_thehive_alerts",
    "arguments": {
      "limit": 10
    }
  }
}

Getting Alert Details

{
  "method": "tools/call",
  "params": {
    "name": "get_thehive_alert_by_id",
    "arguments": {
      "alert_id": "~123456"
    }
  }
}

Promoting an Alert to Case

{
  "method": "tools/call",
  "params": {
    "name": "promote_alert_to_case",
    "arguments": {
      "alert_id": "~123456"
    }
  }
}

Creating a New Case

{
  "method": "tools/call",
  "params": {
    "name": "create_thehive_case",
    "arguments": {
      "title": "Potential Malware Outbreak",
      "description": "Multiple endpoints reporting suspicious process activity.",
      "severity": 3,
      "tags": ["malware", "endpoint", "epp"],
      "tlp": 2,
      "assignee": "soc_level2"
    }
  }
}

Development

Project Structure

mcp-server-thehive/
├── src/
│   ├── main.rs              # Main server implementation
│   ├── lib.rs               # Library exports
│   └── thehive/
│       ├── mod.rs           # Module declarations
│       ├── client.rs        # TheHive API client
│       └── error.rs         # Error types
├── tests/
│   ├── bin/
│   │   └── mock_thehive_server.rs # Mock TheHive API server for testing
│   ├── integration_test.rs    # Integration tests
│   └── mcp_stdio_test.rs      # Stdio interface tests
├── Cargo.toml               # Dependencies and metadata
└── README.md                # This file

Dependencies

  • rmcp - MCP protocol implementation
  • thehive-client - TheHive API client library
  • tokio - Async runtime
  • reqwest - HTTP client
  • serde - Serialization framework
  • tracing - Logging and instrumentation

Testing

The project includes a comprehensive suite of integration tests that leverage a mock TheHive server. This mock server simulates the TheHive API, allowing for isolated and repeatable testing of the MCP server's functionality without requiring a live TheHive instance.

Running Tests:

# Run all tests (including integration tests that use the mock server)
cargo test

# Run tests with verbose logging (includes MCP server and mock server logs)
RUST_LOG=debug MCP_SERVER_THEHIVE_VERBOSE_TEST_LOGS=true cargo test

Security Considerations

  • Store API tokens securely (use environment variables or secure credential stores)
  • Never commit API tokens to version control
  • Enable SSL verification in production environments
  • Limit network access to TheHive instance
  • Use least-privilege API tokens for TheHive access
  • Monitor and log all API interactions
  • Rotate API tokens regularly

Troubleshooting

Common Issues

  1. Connection Refused

    • Verify THEHIVE_URL is correct
    • Check network connectivity to TheHive instance
    • Ensure TheHive is running and accessible

  2. Authentication Failed

    • Verify THEHIVE_API_TOKEN is correct and not expired
    • Check if the API token has necessary permissions
    • Ensure the token is properly formatted

  3. SSL Certificate Errors

    • Set VERIFY_SSL=false for testing (not recommended for production)
    • Install proper SSL certificates
    • Use valid certificate authority

Logging

Enable debug logging for troubleshooting:

RUST_LOG=debug cargo run

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Add tests if applicable
  5. Submit a pull request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Related Projects

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured