{"id":49250443,"url":"https://github.com/solomonneas/thehive-mcp","last_synced_at":"2026-04-25T00:02:43.807Z","repository":{"id":345957703,"uuid":"1151933197","full_name":"solomonneas/thehive-mcp","owner":"solomonneas","description":"MCP server for TheHive incident response platform. Manage cases, alerts, tasks, observables, and investigations via AI agents.","archived":false,"fork":false,"pushed_at":"2026-04-20T22:55:35.000Z","size":85,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-21T00:39:00.604Z","etag":null,"topics":["ai-agents","case-management","incident-response","mcp","model-context-protocol","security","soar","thehive"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/solomonneas.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-07T05:14:37.000Z","updated_at":"2026-04-20T22:55:38.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/solomonneas/thehive-mcp","commit_stats":null,"previous_names":["solomonneas/thehive-mcp"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/solomonneas/thehive-mcp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fthehive-mcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fthehive-mcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fthehive-mcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fthehive-mcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/solomonneas","download_url":"https://codeload.github.com/solomonneas/thehive-mcp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fthehive-mcp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32245154,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T13:21:15.438Z","status":"ssl_error","status_checked_at":"2026-04-24T13:21:15.005Z","response_time":64,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","case-management","incident-response","mcp","model-context-protocol","security","soar","thehive"],"created_at":"2026-04-25T00:02:43.063Z","updated_at":"2026-04-25T00:02:43.798Z","avatar_url":"https://github.com/solomonneas.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# thehive-mcp\n\nMCP (Model Context Protocol) server for [TheHive](https://thehive-project.org/) security incident response platform. Lets AI agents create cases, manage alerts, track observables, run Cortex analyzers, and orchestrate incident response workflows.\n\nTested against **TheHive 5.4.11** with full end-to-end verification (36 live integration tests).\n\n## Features\n\n- **35 tools** covering the full TheHive 5 API surface\n- **Case management** - create, list, get, update, close, delete, search, merge cases\n- **Alert management** - create, list, get, update, promote to case, delete alerts\n- **Task management** - create, list, get, update tasks within cases\n- **Observable management** - add (single + bulk), list, get, search observables\n- **Task logs** - add and list log entries on tasks\n- **Comments** - add and list comments on cases\n- **User management** - list users, get current user info\n- **Cortex integration** - list analyzers, run analyzer jobs, get job results\n- **Raw query API** - execute arbitrary TheHive Query DSL for complex searches\n- **Case templates** - list available templates for case creation\n- **Status** - health check, version info, capabilities\n- **3 prompt templates** - case summary, alert triage, incident response workflow\n- **3 resources** - open cases, new alerts, current user\n\n## Installation\n\n```bash\nnpm install -g thehive-mcp\n```\n\nOr run directly:\n\n```bash\nnpx thehive-mcp\n```\n\n## Configuration\n\nSet environment variables:\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `THEHIVE_URL` | Yes | - | TheHive instance URL (e.g. `http://thehive:9000`) |\n| `THEHIVE_API_KEY` | Yes | - | API key for authentication |\n| `THEHIVE_VERIFY_SSL` | No | `true` | Set to `false` to disable SSL verification |\n| `THEHIVE_TIMEOUT` | No | `30` | Request timeout in seconds |\n\n### Claude Desktop\n\nAdd to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\\Claude\\claude_desktop_config.json` (Windows):\n\n```json\n{\n  \"mcpServers\": {\n    \"thehive\": {\n      \"command\": \"thehive-mcp\",\n      \"env\": {\n        \"THEHIVE_URL\": \"http://your-thehive:9000\",\n        \"THEHIVE_API_KEY\": \"your-api-key\"\n      }\n    }\n  }\n}\n```\n\n### Claude Code\n\n```bash\nclaude mcp add thehive \\\n  --env THEHIVE_URL=http://your-thehive:9000 \\\n  --env THEHIVE_API_KEY=your-api-key \\\n  -- thehive-mcp\n```\n\nAdd `--scope user` to make it available from any directory instead of only the current project.\n\n### OpenClaw\n\nIf you're running from a source checkout instead of the npm-installed binary, point `command`/`args` at the built `dist/index.js`:\n\n```bash\nopenclaw mcp set thehive '{\n  \"command\": \"node\",\n  \"args\": [\"/absolute/path/to/thehive-mcp/dist/index.js\"],\n  \"env\": {\n    \"THEHIVE_URL\": \"http://your-thehive:9000\",\n    \"THEHIVE_API_KEY\": \"your-api-key\"\n  }\n}'\n```\n\nOr, with the global npm install:\n\n```bash\nopenclaw mcp set thehive '{\n  \"command\": \"thehive-mcp\",\n  \"env\": {\n    \"THEHIVE_URL\": \"http://your-thehive:9000\",\n    \"THEHIVE_API_KEY\": \"your-api-key\"\n  }\n}'\n```\n\nThen restart the OpenClaw gateway so the new server is picked up:\n\n```bash\nsystemctl --user restart openclaw-gateway\nopenclaw mcp list   # confirm \"thehive\" is registered\n```\n\n### Hermes Agent\n\n[Hermes Agent](https://github.com/NousResearch/hermes-agent) reads MCP config from `~/.hermes/config.yaml` under the `mcp_servers` key. Add an entry:\n\n```yaml\nmcp_servers:\n  thehive:\n    command: \"thehive-mcp\"\n    env:\n      THEHIVE_URL: \"http://your-thehive:9000\"\n      THEHIVE_API_KEY: \"your-api-key\"\n```\n\nOr, when running from a source checkout instead of the global npm install:\n\n```yaml\nmcp_servers:\n  thehive:\n    command: \"node\"\n    args: [\"/absolute/path/to/thehive-mcp/dist/index.js\"]\n    env:\n      THEHIVE_URL: \"http://your-thehive:9000\"\n      THEHIVE_API_KEY: \"your-api-key\"\n```\n\nThen reload MCP from inside a Hermes session:\n\n```\n/reload-mcp\n```\n\n### Codex CLI\n\n[Codex CLI](https://github.com/openai/codex) registers MCP servers via `codex mcp add`:\n\n```bash\ncodex mcp add thehive \\\n  --env THEHIVE_URL=http://your-thehive:9000 \\\n  --env THEHIVE_API_KEY=your-api-key \\\n  -- thehive-mcp\n```\n\nOr, when running from a source checkout:\n\n```bash\ncodex mcp add thehive \\\n  --env THEHIVE_URL=http://your-thehive:9000 \\\n  --env THEHIVE_API_KEY=your-api-key \\\n  -- node /absolute/path/to/thehive-mcp/dist/index.js\n```\n\nCodex writes the entry to `~/.codex/config.toml` under `[mcp_servers.thehive]`. Verify with:\n\n```bash\ncodex mcp list\n```\n\n## Tools\n\n### Cases (8 tools)\n\n| Tool | Description |\n|------|-------------|\n| `thehive_list_cases` | List cases with filters (status, severity, tags, owner) |\n| `thehive_get_case` | Get a specific case by ID |\n| `thehive_create_case` | Create a new case |\n| `thehive_update_case` | Update case fields (severity, status, tags, etc.) |\n| `thehive_search_cases` | Search cases by title keyword |\n| `thehive_close_case` | Close a case with resolution status and summary |\n| `thehive_delete_case` | Permanently delete a case (with optional force) |\n| `thehive_merge_cases` | Merge multiple cases into one |\n\n### Alerts (6 tools)\n\n| Tool | Description |\n|------|-------------|\n| `thehive_list_alerts` | List alerts with filters (status, severity, source, type) |\n| `thehive_get_alert` | Get a specific alert by ID |\n| `thehive_create_alert` | Create a new alert |\n| `thehive_update_alert` | Update alert fields |\n| `thehive_promote_alert` | Promote an alert to a case |\n| `thehive_delete_alert` | Permanently delete an alert |\n\n### Tasks (4 tools)\n\n| Tool | Description |\n|------|-------------|\n| `thehive_list_tasks` | List tasks for a case |\n| `thehive_get_task` | Get a specific task by ID |\n| `thehive_create_task` | Create a task in a case |\n| `thehive_update_task` | Update task fields (status, assignee, etc.) |\n\n### Observables (5 tools)\n\n| Tool | Description |\n|------|-------------|\n| `thehive_list_observables` | List observables for a case |\n| `thehive_get_observable` | Get a specific observable by ID |\n| `thehive_create_observable` | Add a single observable to a case |\n| `thehive_create_observable_bulk` | Add multiple observables of the same type in one request |\n| `thehive_search_observables` | Search observables across all cases |\n\n### Task Logs (2 tools)\n\n| Tool | Description |\n|------|-------------|\n| `thehive_list_task_logs` | List log entries for a task |\n| `thehive_create_task_log` | Add a log entry to a task |\n\n### Comments (2 tools)\n\n| Tool | Description |\n|------|-------------|\n| `thehive_list_comments` | List comments on a case |\n| `thehive_create_comment` | Add a comment to a case |\n\n### Users (2 tools)\n\n| Tool | Description |\n|------|-------------|\n| `thehive_list_users` | List users in the organization |\n| `thehive_get_current_user` | Get the authenticated user's profile |\n\n### Cortex (3 tools)\n\n| Tool | Description |\n|------|-------------|\n| `thehive_list_analyzers` | List available Cortex analyzers |\n| `thehive_run_analyzer` | Run a Cortex analyzer on an observable |\n| `thehive_get_job` | Get analyzer job status and results |\n\n### Query (1 tool)\n\n| Tool | Description |\n|------|-------------|\n| `thehive_query` | Execute raw TheHive Query DSL for complex searches, date ranges, counting, etc. |\n\n### Templates (1 tool)\n\n| Tool | Description |\n|------|-------------|\n| `thehive_list_case_templates` | List available case templates |\n\n### Status (1 tool)\n\n| Tool | Description |\n|------|-------------|\n| `thehive_status` | Get server health, version, and capabilities |\n\n## Prompt Templates\n\n| Prompt | Description |\n|--------|-------------|\n| `case-summary` | Generate a comprehensive incident case report |\n| `alert-triage` | Triage and analyze an alert for escalation |\n| `incident-response` | Guided incident response workflow |\n\n## Resources\n\n| Resource | URI | Description |\n|----------|-----|-------------|\n| Open Cases | `thehive://cases/open` | Currently open cases |\n| New Alerts | `thehive://alerts/new` | Unprocessed alerts |\n| Current User | `thehive://user/current` | Authenticated user info |\n\n## Development\n\n```bash\n# Install dependencies\nnpm install\n\n# Build\nnpm run build\n\n# Run tests (unit, 68 tests)\nnpm test\n\n# Run live integration tests (36 tests, requires TheHive instance)\nTHEHIVE_URL=http://your-thehive:9000 THEHIVE_API_KEY=your-key npx tsx scripts/live-test.ts\n\n# Type check\nnpm run typecheck\n\n# Development mode\nTHEHIVE_URL=http://your-thehive:9000 THEHIVE_API_KEY=your-key npm run dev\n```\n\n## TheHive 5 Notes\n\n- **Organizations matter.** The `admin` org only has platform permissions. Create a separate org (e.g. \"SOC\") with an `org-admin` user for full case/alert/task/observable access.\n- **Case statuses changed in v5.** Closed statuses are: TruePositive, FalsePositive, Indeterminate, Duplicated, Other. There is no \"Resolved\" status.\n- **PATCH returns 204.** Update operations return no body; the client re-fetches the entity automatically.\n- **Observable creation returns arrays.** The client handles this transparently. Bulk creation uses `data` as an array.\n- **Cortex connector endpoints** live under `/api/connector/` not `/api/v1/`.\n- **`description` is required** when creating cases and alerts.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolomonneas%2Fthehive-mcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsolomonneas%2Fthehive-mcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolomonneas%2Fthehive-mcp/lists"}