TheHive MCP connector
TheHive is an open-source security incident response platform for managing alerts, cases, observables, and tasks during security investigations. The TheHive MCP connector allows AI agents to manage security alerts, create and update cases, and track investigation progress across incident response workflows. It also supports promoting alerts to cases, managing observables and tasks, and coordinating team activities throughout the incident lifecycle.
Authentication type
- API Key - Requires a static API key to be configured before the agent can connect to the service.
Uses
Use the TheHive MCP connector to perform the following actions:
- Triage security alerts and escalate critical threats to cases automatically
- Track incident response tasks and document investigation findings in real time
- Correlate suspicious observables across multiple incidents to identify attack patterns
- Automate alert enrichment and orchestrate response workflows with external tools
- Generate audit trails and compliance reports for security incident investigations
- Route cases to on-call responders based on severity and threat indicators
Example prompts
Use the following example prompts to invoke TheHive MCP connector tools from your AI assistant or Boomi Connect workflow:
Show me all open alerts in TheHive from the last 24 hours.Create a new case in TheHive for the phishing campaign we detected today.List all tasks assigned to me in TheHive and their current status.Add an observable for the malicious IP address to this TheHive case.Promote the critical alert to a case and assign it to the security team.Update the status of this case in TheHive to closed and document the resolution.Get all comments on this TheHive case to review the investigation timeline.Create a task log entry for the forensic analysis we completed in TheHive.Find all cases in TheHive tagged with ransomware from the past week.Delete the duplicate alert in TheHive and consolidate findings into one case.
TheHive MCP connector tools
The TheHive MCP connector provides the following tools. Each tool maps to a specific action you can invoke from your AI agent or automation.
| Tool | Description |
|---|---|
| listAlerts | Retrieves a list of all alerts in the system. |
| createAlert | Creates a new alert with specified details and attributes. |
| getAlert | Retrieves detailed information about a specific alert. |
| updateAlert | Modifies an existing alert's properties or status. |
| deleteAlert | Removes an alert from the system. |
| promoteAlertToCase | Converts an alert into a new case for investigation. |
| listCases | Retrieves a list of all cases in the system. |
| createCase | Creates a new case with specified details and attributes. |
| getCase | Retrieves detailed information about a specific case. |
| updateCase | Modifies an existing case's properties or status. |
| deleteCase | Removes a case from the system. |
| listCaseComments | Retrieves all comments associated with a specific case. |
| createCaseComment | Adds a new comment to a case. |
| updateComment | Modifies the content or properties of an existing comment. |
| deleteComment | Removes a comment from a case. |
| listCaseObservables | Retrieves all observables linked to a specific case. |
| createCaseObservable | Adds a new observable to a case. |
| getObservable | Retrieves detailed information about a specific observable. |
| updateObservable | Modifies an existing observable's properties or data. |
| deleteObservable | Removes an observable from a case. |
| listCaseTasks | Retrieves all tasks associated with a specific case. |
| createCaseTask | Creates a new task within a case. |
| getTask | Retrieves detailed information about a specific task. |
| updateTask | Modifies an existing task's properties or status. |
| deleteTask | Removes a task from a case. |
| listTaskLogs | Retrieves all logs associated with a specific task. |
| createTaskLog | Creates a new log entry for a task. |
| updateTaskLog | Modifies an existing task log entry. |
| deleteTaskLog | Removes a log entry from a task. |
| executeQuery | Executes a search or query against case data. |
| listCasePages | List case pages. |
| createCasePage | Create a case page. |
| getPage | Get a page. |
| updatePage | Update a page. |
| deletePage | Delete a page. |
