What features does TheHive MCP Server MCP server provide?

Q: What features does TheHive MCP Server MCP server provide?

Comprehensive MCP toolset: Provides a wide range of MCP operations for cases, alerts, observables, tasks, attachments, and related actions, enabling rich MCP-based automation and orchestration with TheHive.. Case management operations: Supports creating, updating, deleting, merging cases, promoting alerts to cases, and retrieving or listing cases through MCP tools.. Observables, alerts, and task handling: Enables creating and managing observables in alerts or cases, retrieving observables, and managing task lifecycles linked to cases and alerts.. Attachment handling: Manages case attachments with add, delete, find, and download operations to support evidence and artifact management.. Cortex integration support: Includes Cortex-related tooling such as analyzers and responder actions, and supports running observable analyzers and managing analyzer jobs.. Search, count, and retrieval capabilities: Offers find/get/list and count operations for alerts, cases, observables, tasks, and related entities to support comprehensive querying and reporting.. Dependency and deployment convenience: Relies on the TheHive client library (thehive4py) and provides multiple deployment options (Claude Desktop, uv) with environment variables HIVE_URL and HIVE_API_KEY; includes a manual install path.

TheHive MCP Server MCP Server 2025: Features & Setup Guide

Overview

TheHive MCP Server is a Model Context Protocol (MCP) server implementation designed to interface TheHive, a security incident response platform, with MCP-compatible clients. It provides a standardized means to interact with TheHive's data model and operations via MCP, enabling automation, orchestration, and integration with external tooling. The server exposes a broad set of MCP tools covering case management, alert management, observable handling, task lifecycle, and attachment management, including create, update, delete, get, and find operations for cases, alerts, observables, tasks, and attachments. It also includes capabilities for merging alerts into cases, promoting alerts to cases, and merging cases, along with specialized actions like starting and completing tasks, creating and attaching files, and running Cortex analyzer jobs. The implementation relies on the official TheHive client library (thehive4py) and provides configuration via environment variables HIVE_URL and HIVE_API_KEY. The README describes deployment options for Claude Desktop and a uv-based run mode, plus a manual installation path (pip install . and python -m thehive_mcp). This setup enables secure, scalable MCP-based integration with TheHive.

Features

Comprehensive MCP toolset

Provides a wide range of MCP operations for cases, alerts, observables, tasks, attachments, and related actions, enabling rich MCP-based automation and orchestration with TheHive.

Case management operations

Supports creating, updating, deleting, merging cases, promoting alerts to cases, and retrieving or listing cases through MCP tools.

Observables, alerts, and task handling

Enables creating and managing observables in alerts or cases, retrieving observables, and managing task lifecycles linked to cases and alerts.

Attachment handling

Manages case attachments with add, delete, find, and download operations to support evidence and artifact management.

Cortex integration support

Includes Cortex-related tooling such as analyzers and responder actions, and supports running observable analyzers and managing analyzer jobs.

Search, count, and retrieval capabilities

Offers find/get/list and count operations for alerts, cases, observables, tasks, and related entities to support comprehensive querying and reporting.

Dependency and deployment convenience

Relies on the TheHive client library (thehive4py) and provides multiple deployment options (Claude Desktop, uv) with environment variables HIVE_URL and HIVE_API_KEY; includes a manual install path.