VERIFIED

Thehive

Safety: 55/100

0.0(0)

TheHive MCP server facilitates interaction with TheHive incident response platform, enabling AI models to retrieve alerts, cases, and perform incident management tasks.

MCP ServersFreemium

Boost this tool

Subscribe to listing upgrades or segmented pushes.

Overview

TheHive MCP server facilitates interaction with TheHive incident response platform, enabling AI models to retrieve alerts, cases, and perform incident management tasks.

This server provides a mix of read and write operations on TheHive. It's relatively safe for read-only operations, but promoting alerts or creating cases introduces risk. Secure storage and management of the API token are crucial.

Performance depends on the size of TheHive instance and network latency. Optimize queries and limit the number of alerts/cases retrieved to minimize response times.

Cost depends on the usage of TheHive API. Monitor API usage to avoid exceeding rate limits or incurring unexpected costs.

LocalRust11 starsMITReleased 12/6/2025CI/CD

Connections & Capabilities

Connects To

GitHub

Capabilities

ReadWrite

Client Compatibility

Claude Desktop

full

Cursor

full

Windsurf

full

VS Code (Copilot)

full

Quickstart

Claude Desktop Config

{
  "mcpServers": {
    "thehive": {
      "command": "/path/to/mcp-server-thehive",
      "env": {
        "THEHIVE_URL": "https://your-thehive-instance.com:9000/api",
        "THEHIVE_API_TOKEN": "your-api-token-here"
      }
    }
  }
}

Environment Variables

THEHIVE_URLTHEHIVE_API_TOKENVERIFY_SSLRUST_LOGMCP_SERVER_THEHIVE_VERBOSE_TEST_LOGS

Tools (6)

safe

get_thehive_alerts

Retrieves a list of alerts from TheHive.

Read-only operation, no data modification.

safe

get_thehive_alert_by_id

Retrieves detailed information about a specific alert.

Read-only operation, no data modification.

safe

get_thehive_cases

Retrieves a list of cases from TheHive.

Read-only operation, no data modification.

safe

get_thehive_case_by_id

Retrieves detailed information about a specific case.

Read-only operation, no data modification.

moderate

promote_alert_to_case

Promotes an existing alert to a new case.

Creates a new case based on an alert, modifying data.

moderate

create_thehive_case

Creates a new case in TheHive.

Creates new data in TheHive.

Security

Auth Method

API Key

Data Locality

local

Known Risks

!Compromised API token could lead to unauthorized data modification or creation.
!Lack of input validation could lead to injection attacks.
!Overly permissive API token could grant unintended access.
!Reliance on environment variables for secrets increases exposure risk if not properly managed.

Safety Score

moderate risk

Positive

+API token authentication required
+Clear separation of concerns via MCP protocol
+SSL verification option
+Well-defined tool set with specific functions

Risks

-Requires API token with potentially broad permissions
-Promote alert to case and create case tools can modify data
-No built-in rate limiting
-Environment variables used for secrets management

Use Cases

Incident Triage

-Automated alert summarization
-Enrichment of alerts with case information
-Prioritization of alerts based on severity

Incident Response Automation

-Automated case creation from high-priority alerts
-Automated assignment of cases to responders
-Automated tagging of cases based on alert characteristics

Threat Intelligence

-Retrieval of threat intelligence data associated with alerts
-Correlation of alerts with threat intelligence feeds
-Automated enrichment of cases with threat intelligence data

Reporting and Metrics

-Generating reports on alert volume and severity
-Tracking case resolution times
-Measuring the effectiveness of incident response efforts

Who Is This For?

Best For

Security analysts automating incident response workflows
Threat intelligence platforms integrating with TheHive
SOAR platforms orchestrating security tools
AI models analyzing security alerts and cases

Not Ideal For

Environments with strict data governance policies prohibiting automated case creation
Use cases requiring real-time data synchronization
Scenarios where API token security cannot be guaranteed

Autonomy & Execution

Default ModeRead and Write enabled

The level of autonomy depends on the configuration of the MCP client and the permissions granted to the TheHive API token. Exercise caution when enabling automated case creation or modification.

StatelessYes

Retry LogicNot documented

ConcurrencySingle-threaded

Production Tip

Monitor the server's logs and TheHive's audit logs to detect any suspicious activity or errors.

FAQ

What TheHive permissions are required for the API token?

The API token needs read permissions for alerts and cases. Write permissions are required for promoting alerts to cases and creating new cases.

How do I secure the TheHive API token?

Store the API token in a secure credential store or use environment variables with restricted access. Never commit the token to version control.

Does this server support rate limiting?

No, the server does not have built-in rate limiting. Implement rate limiting in the MCP client or TheHive instance if needed.

How do I enable SSL verification?

Set the `VERIFY_SSL` environment variable to `true` and ensure that the TheHive instance has a valid SSL certificate.

What happens if the connection to TheHive is lost?

The server will return an error to the MCP client. Implement retry logic in the client to handle temporary connection issues.

Can I use this server to delete cases or alerts?

No, the server does not provide tools for deleting cases or alerts.

How do I troubleshoot errors?

Enable debug logging by setting the `RUST_LOG` environment variable to `debug`. Check the server's logs and TheHive's audit logs for error messages.

Metrics

Discovered2/14/2026

Reviews0

Saved By0 users

Related Tools

Thehive - AI Tool Review & Alternatives | Flaex AI