← Lidless  /  SECURITY / SOC  /  thehive-mcp

thehive-mcp

Active

MCP server for TheHive - security incident response.

GitHub repo → npm: thehive-mcp →

WHAT IT DOES

thehive-mcp is a Model Context Protocol server for TheHive, the open-source security incident response platform. Point an AI client at it and TheHive becomes a set of tools the agent can call: create and triage cases, manage alerts, track observables, run Cortex analyzers, and orchestrate incident response workflows.

It exposes 47 tools across the full TheHive 5 API surface, plus prompt templates and resources for open cases, new alerts, and the current user. It is tested against TheHive 5.4.11 with live read, write, and destructive coverage.

Destructive and irreversible operations (delete case, delete alert, merge, promote, raw query) are gated behind explicit environment flags and off by default, so an agent cannot wipe a case without you opting in.

INSTALL

$ npm install -g thehive-mcp # install the binary
$ npx thehive-mcp # or run it directly

Requires Node.js 20+. Set THEHIVE_URL and THEHIVE_API_KEY for your instance. Add THEHIVE_ALLOW_DESTRUCTIVE_TOOLS=true only when you want to enable delete/merge/promote tools.

TOOLS EXPOSED

Cases (16)

list / get / create / update / search cases
close, assign, tag, flag, bulk assign + close
timeline summary, custom fields, delete, merge (gated)

Alerts (6)

list / get / create / update alerts
promote to case + delete (gated)

Tasks + logs (6)

list / get / create / update tasks
list + add task log entries

Observables (5)

list / get / create observables
bulk create, search across all cases

Cortex (7)

list analyzers, find enrichment options
run analyzer, run-and-wait, poll job, summarize report

Comments, users, query, status

list + add case comments
list users, get current user
guarded raw Query DSL (gated), case templates, server status

CLIENT CONFIG

A sample mcpServers entry for an MCP client such as Claude Desktop. The server speaks MCP over stdio. 

{
  "mcpServers": {
    "thehive": {
      "command": "thehive-mcp",
      "env": {
        "THEHIVE_URL": "http://your-thehive:9000",
        "THEHIVE_API_KEY": "your-api-key"
      }
    }
  }
}