Schema | TheHive FastMCP

TheHive FastMCP

Overview Schema Related Servers Score Discussions

Server Configuration

Describes the environment variables required to run the server.

Name	Required	Description	Default
`THEHIVE_ORG`	No	Nom de l'organisation cible (ajoute le header X-Organisation).
`THEHIVE_URL`	Yes	URL de base de votre instance TheHive (ex: https://thehive.votre-domaine.com).
`THEHIVE_API_KEY`	Yes	Clé API de l'utilisateur (Bearer Token).
`THEHIVE_VERIFY_SSL`	No	Activer ou désactiver la vérification du certificat SSL. Utile en environnement auto-hébergé.	true

Capabilities

Features and capabilities supported by this server

Capability	Details
`tools`	{ "listChanged": false }
`prompts`	{ "listChanged": false }
`resources`	{ "subscribe": false, "listChanged": false }
`experimental`	{}

Tools

Functions exposed to the LLM to take actions

Name	Description
get_caseB	Get detailed information about a specific case by its ID or case number. Args: id_or_name (str): The unique ID of the case (starts with '~') or the case number.
create_caseA	Create a new empty security incident Case in TheHive. Args: title (str): Title of the case. description (str): Detailed markdown-supported description of the case. severity (int): Severity level: 1 (Low), 2 (Medium), 3 (High), 4 (Critical). Default is 2. tags (List[str], optional): List of tags to categorize the case. tlp (int): Traffic Light Protocol level: 0 (White), 1 (Green), 2 (Amber), 3 (Amber+Strict), 4 (Red). Default is 2. pap (int): Permissible Action Protocol level: 0 (White), 1 (Green), 2 (Amber), 3 (Red). Default is 2. flag (bool): Mark the case as flagged/starred. Default is False.
search_casesA	Search for Cases in TheHive with advanced filtering capabilities. Args: title (str, optional): Substring match on the Case title. severity (int, optional): Filter by exact severity level (1 to 4). tags (List[str], optional): Filter by tags (requires all tags to match). status (str, optional): Filter by status (e.g. 'Open', 'Resolved'). sort (str, optional): Field to sort by. Use '-' prefix for descending (e.g., '-_createdAt' or '-_updatedAt'). created_after (str, optional): Filter cases created after this date (ISO 8601 or timestamp in ms). created_before (str, optional): Filter cases created before this date (ISO 8601 or timestamp in ms). limit (int): Maximum number of cases to return. Default is 10.
get_alertA	Get detailed information about a specific alert by its ID. Args: alert_id (str): The unique ID of the alert.
create_alertA	Create a new Alert in TheHive. Alerts represent potential incidents fetched from SIEMs, emails, etc. Args: type_name (str): Type of the alert (e.g., 'SIEM', 'Phishing', 'EDR'). source (str): Source/provider of the alert (e.g., 'Splunk', 'Wazuh'). source_ref (str): Unique reference ID from the source system. title (str): Title of the alert. description (str): Detailed markdown-supported description. severity (int): Severity level: 1 (Low), 2 (Medium), 3 (High), 4 (Critical). Default is 2. tags (List[str], optional): List of tags to categorize the alert. tlp (int): Traffic Light Protocol level (0 to 4). Default is 2. pap (int): Permissible Action Protocol level (0 to 3). Default is 2.
search_alertsA	Search for Alerts in TheHive with advanced filtering. Args: title (str, optional): Substring match on the Alert title. severity (int, optional): Filter by exact severity level (1 to 4). tags (List[str], optional): Filter by tags (requires all tags to match). status (str, optional): Filter by status (e.g. 'New', 'Imported', 'Ignored'). sort (str, optional): Field to sort by. Use '-' prefix for descending (e.g., '-_createdAt' or '-_updatedAt'). created_after (str, optional): Filter alerts created after this date (ISO 8601 or timestamp in ms). created_before (str, optional): Filter alerts created before this date (ISO 8601 or timestamp in ms). limit (int): Maximum number of alerts to return. Default is 10.
create_observableA	Add an Observable (IoC/Indicator of Compromise) to an existing Case. Args: case_id (str): The unique ID of the target Case. data_type (str): Type of observable (e.g., 'ip', 'domain', 'hash', 'mail', 'url'). data (str): The actual observable value (e.g. '192.168.1.1' or 'bad-domain.com'). message (str, optional): A description or comment regarding this observable. tags (List[str], optional): List of tags to add to the observable. tlp (int): Traffic Light Protocol level (0 to 4). Default is 2. pap (int): Permissible Action Protocol level (0 to 3). Default is 2. ioc (bool): Whether to mark this observable as an active Indicator of Compromise. Default is False.
get_case_observablesA	List all observables associated with a specific Case. Args: case_id (str): The unique ID or name/number of the Case. sort (str, optional): Field to sort by. Use '-' prefix for descending (e.g., '-_createdAt' or '-_updatedAt'). created_after (str, optional): Filter observables created after this date (ISO 8601 or timestamp in ms). created_before (str, optional): Filter observables created before this date (ISO 8601 or timestamp in ms). limit (int): Maximum number of observables to return. Default is 50.
create_taskB	Create a new Task inside an existing Case for tracking investigation steps. Args: case_id (str): The unique ID of the target Case. title (str): Title of the task. description (str, optional): Detailed explanation of the task. group (str, optional): Group category for the task. assignee (str, optional): Login/email of the user assigned to this task.
get_case_tasksA	List all tasks associated with a specific Case. Args: case_id (str): The unique ID or name/number of the Case. sort (str, optional): Field to sort by. Use '-' prefix for descending (e.g., '-_createdAt' or '-_updatedAt'). created_after (str, optional): Filter tasks created after this date (ISO 8601 or timestamp in ms). created_before (str, optional): Filter tasks created before this date (ISO 8601 or timestamp in ms). limit (int): Maximum number of tasks to return. Default is 50.
add_task_logA	Add a progress log entry (log note) to an existing Task. Args: task_id (str): The unique ID of the Task. message (str): Log message (describing progress, results, or notes). Supports markdown.

Prompts

Interactive templates invoked by user choice

Name	Description
No prompts

Resources

Contextual data attached and managed by the client

Name	Description
No resources

Server Configuration
Capabilities
Tools
Prompts
Resources

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Hoopshaker/thehive-fastmcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server