← Lidless  /  SECURITY / SOC  /  cortex-mcp

cortex-mcp

Active

MCP server for Cortex (StrangeBee/TheHive) - observable analysis.

GitHub repo → npm: thehive-cortex-mcp →

WHAT IT DOES

cortex-mcp is a Model Context Protocol server for Cortex by StrangeBee / TheHive Project. Cortex automates observable analysis (IPs, URLs, hashes, domains, emails, files) through analyzers and executes response actions through responders.

This server exposes 31 tools covering the complete Cortex API surface, plus resources and guided prompts for setup, investigation, and triage. It auto-detects observable data types, can fan out across all applicable analyzers with taxonomy aggregation, and supports both org-level and superadmin keys for administration.

Real-world actions are secured by default: arbitrary file reads are blocked, responders and deletes require an explicit environment flag plus per-call confirmation, and bulk analysis is conservative unless you opt into fan-out.

INSTALL

$ npm install -g thehive-cortex-mcp # install the binary
$ npx thehive-cortex-mcp # or run it directly

Published on npm as thehive-cortex-mcp; the binary is cortex-mcp. Requires Node.js 20+ and a running Cortex instance (v3.x recommended). Set CORTEX_URL and CORTEX_API_KEY; add CORTEX_SUPERADMIN_KEY for org/user management.

TOOLS EXPOSED

Analyzers (5)

list / get enabled analyzers
run analyzer by ID or by name
run analyzer on a file (path-confined or base64)

Analyzer definitions (3)

browse 260+ definitions with filters
enable / disable an analyzer (gated)

Jobs (7)

get job, get report, wait-and-get
list jobs, get artifacts (IOCs)
delete job (gated), bulk cleanup with dry-run

Responders (5)

list responders + browse 137+ definitions
enable / disable responders
run a responder (gated, requires confirm)

Bulk + status

analyze an observable with auto data-type detection
taxonomy aggregation, capped fan-out
instance health, version, config

Orgs + users (superadmin)

list / get / create / update organizations
list / get / create users
renew + retrieve user API keys

CLIENT CONFIG

A sample mcpServers entry for an MCP client such as Claude Desktop. The server speaks MCP over stdio. 

{
  "mcpServers": {
    "cortex": {
      "command": "cortex-mcp",
      "env": {
        "CORTEX_URL": "http://cortex.example.com:9001",
        "CORTEX_API_KEY": "your-org-admin-key",
        "CORTEX_SUPERADMIN_KEY": "your-superadmin-key"
      }
    }
  }
}