Connect AI to Your Security Operations with TheHive MCP Server

Turn your AI assistant into a security analyst that can actually do something about incidents. This MCP server bridges Claude, ChatGPT, or any MCP-compatible AI directly to your TheHive incident response platform.

Why Your SOC Needs This

Security teams are drowning in alerts, but AI assistants can't touch your actual incident response systems. You're stuck copy-pasting between your AI chat and TheHive, losing context and wasting precious response time.

This server changes that. Your AI can now:

• Triage alerts intelligently by analyzing multiple indicators across your TheHive instance
• Promote critical alerts to cases based on threat intelligence correlation
• Create structured incident reports with proper severity scoring and tagging
• Query historical cases to identify attack patterns and recommend response playbooks

Real SOC Workflows Made Simple

Intelligent Alert Triage

You: "Show me high-severity alerts from the last 24 hours and analyze which ones might be related to the APT campaign we're tracking."

AI: *Retrieves alerts, correlates IoCs, identifies 3 potential matches*
"Based on the domain patterns and timing, these alerts likely belong to the same campaign. Should I promote them to a case?"

You: "Yes, create a case called 'APT-29 Infrastructure Expansion'"

AI: *Creates case, links related alerts, applies appropriate TLP and severity*

Automated Case Management

Your AI assistant can now handle the tedious parts of incident response:

• Pull alert details and observables for analysis
• Create properly formatted cases with standardized tagging
• Promote related alerts into cohesive investigations
• Generate incident summaries with MITRE ATT&CK mapping

Historical Analysis and Pattern Recognition

You: "What similar malware cases have we handled in the past 6 months?"

AI: *Searches cases, analyzes patterns*
"Found 4 similar cases involving the same C2 infrastructure. Here's the progression and our successful containment strategy..."

Quick Integration

Built for security teams who need reliability. Written in Rust for performance, with comprehensive error handling and proper SSL verification.

Setup Your Environment

export THEHIVE_URL=https://your-thehive.company.com/api
export THEHIVE_API_TOKEN=your-api-token
export VERIFY_SSL=true

Add to Your MCP Client

{
  "mcpServers": {
    "thehive": {
      "command": "/path/to/mcp-server-thehive",
      "env": {
        "THEHIVE_URL": "https://your-thehive.company.com/api",
        "THEHIVE_API_TOKEN": "your-api-token"
      }
    }
  }
}

Available Operations

Alert Management:

• get_thehive_alerts - Retrieve and filter alerts with custom limits
• get_thehive_alert_by_id - Deep-dive into specific alert details
• promote_alert_to_case - Convert critical alerts to full investigations

Case Operations:

• get_thehive_cases - Query your case database
• get_thehive_case_by_id - Access complete case information
• create_thehive_case - Generate new investigations with proper metadata

Each tool returns structured data your AI can analyze, correlate, and act upon.

Production-Ready Security

This isn't a proof-of-concept. It includes:

• Comprehensive integration tests with mock TheHive server
• Proper SSL certificate verification
• Secure token handling through environment variables
• Detailed logging for audit trails
• Pre-compiled binaries for quick deployment

Get Started

Download the latest binary from the releases page or build from source:

git clone https://github.com/gbrigandi/mcp-server-thehive.git
cd mcp-server-thehive
cargo build --release

Stop manually juggling between AI insights and your security tools. Give your AI assistant direct access to your incident response platform and watch your team's efficiency multiply.

Your SOC deserves better than copy-paste workflows.