logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

mcp-server-thehive

A Rust-based MCP server to integrate TheHive, facilitating collaborative security incident response and case management via AI.

Author

MCP Server

gbrigandi

MIT License

Quick Info

GitHub GitHub Stars 11
NPM Weekly Downloads 0
Tools 1
Last Updated 2026-02-19

Actions

GitHub View on GitHub

Tags

mcpgbrigandiserversecurity gbrigandimcp servergbrigandi mcp

MCP Server for TheHive

An MCP (Model Context Protocol) server that provides AI models and automation tools with access to TheHive incident response platform.

Overview

This server acts as a bridge between MCP clients (like AI assistants) and TheHive, allowing them to:

  • Retrieve and analyze security alerts
  • Access case information
  • Promote alerts to cases
  • Perform incident response operations

Features

Available Tools

  1. get_thehive_alerts - Retrieve a list of alerts from TheHive
  2. Optional limit parameter (default: 100)

  3. Returns formatted alert information including ID, title, severity, and status

  4. get_thehive_alert_by_id - Get detailed information about a specific alert

  5. Required alert_id parameter

  6. Returns comprehensive alert details

  7. get_thehive_cases - Retrieve a list of cases from TheHive

  8. Optional limit parameter (default: 100)

  9. Returns formatted case information

  10. get_thehive_case_by_id - Get detailed information about a specific case

  11. Required case_id parameter

  12. Returns comprehensive case details

  13. promote_alert_to_case - Promote an alert to a case

  14. Required alert_id parameter

  15. Returns information about the newly created case

  16. create_thehive_case - Create a new case in TheHive

  17. Required title and description parameters
  18. Optional parameters: severity, tags, tlp, pap, status, assignee, case_template, start_date
  19. Returns information about the newly created case

Installation

Prerequisites

  • Access to a TheHive 5 instance
  • Valid TheHive API token

Downloading Pre-compiled Binaries

You can download pre-compiled binaries for various operating systems from the GitHub Releases page. Download the appropriate binary for your system, make it executable, and place it in your desired location.

Building from Source

git clone <repository-url>
cd mcp-server-thehive
cargo build --release

Configuration

The server requires the following environment variables:

  • THEHIVE_URL - TheHive API base URL (default: http://localhost:9000/api)
  • THEHIVE_API_TOKEN - TheHive API token (required)
  • VERIFY_SSL - Whether to verify SSL certificates (default: false)
  • RUST_LOG - Logging level (optional, e.g., debug, info)

Environment File

Create a .env file in the project root:

THEHIVE_URL=https://your-thehive-instance.com/api
THEHIVE_API_TOKEN=your-api-token-here
VERIFY_SSL=true
RUST_LOG=info

Getting a TheHive API Token

  1. Log into your TheHive instance
  2. Go to User SettingsAPI Keys
  3. Click Create API Key
  4. Copy the generated token and use it as THEHIVE_API_TOKEN

Usage

Running the Server

# Using cargo
cargo run

# Using the built binary
./target/release/mcp-server-thehive

Integration with MCP Clients

The server communicates over stdio using the MCP protocol. Configure your MCP client to use this server:

{
  "mcpServers": {
    "thehive": {
      "command": "/path/to/mcp-server-thehive",
      "env": {
        "THEHIVE_URL": "https://your-thehive-instance.com:9000/api",
        "THEHIVE_API_TOKEN": "your-api-token-here"
      }
    }
  }
}

Examples

Retrieving Recent Alerts

{
  "method": "tools/call",
  "params": {
    "name": "get_thehive_alerts",
    "arguments": {
      "limit": 10
    }
  }
}

Getting Alert Details

{
  "method": "tools/call",
  "params": {
    "name": "get_thehive_alert_by_id",
    "arguments": {
      "alert_id": "~123456"
    }
  }
}

Promoting an Alert to Case

{
  "method": "tools/call",
  "params": {
    "name": "promote_alert_to_case",
    "arguments": {
      "alert_id": "~123456"
    }
  }
}

Creating a New Case

{
  "method": "tools/call",
  "params": {
    "name": "create_thehive_case",
    "arguments": {
      "title": "Potential Malware Outbreak",
      "description": "Multiple endpoints reporting suspicious process activity.",
      "severity": 3,
      "tags": ["malware", "endpoint", "epp"],
      "tlp": 2,
      "assignee": "soc_level2"
    }
  }
}

Development

Project Structure

mcp-server-thehive/
├── src/
│   ├── main.rs              # Main server implementation
│   ├── lib.rs               # Library exports
│   └── thehive/
│       ├── mod.rs           # Module declarations
│       ├── client.rs        # TheHive API client
│       └── error.rs         # Error types
├── tests/
│   ├── bin/
│   │   └── mock_thehive_server.rs # Mock TheHive API server for testing
│   ├── integration_test.rs    # Integration tests
│   └── mcp_stdio_test.rs      # Stdio interface tests
├── Cargo.toml               # Dependencies and metadata
└── README.md                # This file

Dependencies

  • rmcp - MCP protocol implementation
  • thehive-client - TheHive API client library
  • tokio - Async runtime
  • reqwest - HTTP client
  • serde - Serialization framework
  • tracing - Logging and instrumentation

Testing

The project includes a comprehensive suite of integration tests that leverage a mock TheHive server. This mock server simulates the TheHive API, allowing for isolated and repeatable testing of the MCP server's functionality without requiring a live TheHive instance.

Running Tests:

# Run all tests (including integration tests that use the mock server)
cargo test

# Run tests with verbose logging (includes MCP server and mock server logs)
RUST_LOG=debug MCP_SERVER_THEHIVE_VERBOSE_TEST_LOGS=true cargo test

Security Considerations

  • Store API tokens securely (use environment variables or secure credential stores)
  • Never commit API tokens to version control
  • Enable SSL verification in production environments
  • Limit network access to TheHive instance
  • Use least-privilege API tokens for TheHive access
  • Monitor and log all API interactions
  • Rotate API tokens regularly

Troubleshooting

Common Issues

  1. Connection Refused
  2. Verify THEHIVE_URL is correct
  3. Check network connectivity to TheHive instance

  4. Ensure TheHive is running and accessible

  5. Authentication Failed

  6. Verify THEHIVE_API_TOKEN is correct and not expired
  7. Check if the API token has necessary permissions

  8. Ensure the token is properly formatted

  9. SSL Certificate Errors

  10. Set VERIFY_SSL=false for testing (not recommended for production)
  11. Install proper SSL certificates
  12. Use valid certificate authority

Logging

Enable debug logging for troubleshooting:

RUST_LOG=debug cargo run

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Add tests if applicable
  5. Submit a pull request

License

This project is licensed under the MIT License - see the LICENSE file for details.

See Also

MCP
Mcp-server-thehive Mcp
MCP
Servers Mcp
Man Pages
case Man Pages
Alert
Alert PNG Icons
MCP
Token-info-mcp Mcp
Man Pages
Test::Sys::Info::Driver Man Pages
MCP
Client Mcp
Man Pages
Config::Model::Instance Man Pages
Man Pages
cargo Man Pages
← Back to Security🙏  Credits & Acknowledgments
`