npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

thehive-cortex-mcp

v1.2.0

Published

MCP server for Cortex observable analysis and response engine

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

solomonneassolomonneas

Keywords

mcpcortexthehivesocsecurityobservable-analysisincident-response

Readme

cortex-mcp

TypeScript Node.js MCP License: MIT

An MCP (Model Context Protocol) server for Cortex by StrangeBee/TheHive Project. Cortex automates observable analysis (IPs, URLs, hashes, domains, emails, files) using analyzers and executes response actions via responders. This MCP server exposes Cortex's full analysis and administration pipeline to LLMs.

Features

  • 31 MCP tools covering the complete Cortex API surface
  • 4 MCP resources for browsing Cortex state
  • 4 MCP prompts with guided workflows (setup, investigation, triage)
  • Full analyzer/responder lifecycle: browse definitions, enable, configure, disable
  • Auto-detection of observable data types (IP, domain, hash, URL, email)
  • Bulk analysis across all applicable analyzers with taxonomy aggregation
  • Job cleanup with dry-run support
  • User API key management (create, renew, retrieve)
  • Organization CRUD with status management
  • Dual API key support: org-level operations + superadmin administration

Prerequisites

  • Node.js 20 or later
  • A running Cortex instance (v3.x recommended)
  • A Cortex API key with appropriate permissions

Installation

git clone https://github.com/solomonneas/cortex-mcp.git
cd cortex-mcp
npm install
npm run build

Configuration

| Variable | Required | Default | Description | |----------|----------|---------|-------------| | CORTEX_URL | Yes | - | Cortex base URL (e.g., http://cortex.example.com:9001) | | CORTEX_API_KEY | Yes | - | API key for normal operations (org admin level) | | CORTEX_SUPERADMIN_KEY | No | - | Superadmin API key for org/user/definition management | | CORTEX_VERIFY_SSL | No | true | Set to false to skip SSL verification | | CORTEX_TIMEOUT | No | 30 | Request timeout in seconds |

Usage

With Claude Desktop

{
  "mcpServers": {
    "cortex": {
      "command": "node",
      "args": ["/path/to/cortex-mcp/dist/index.js"],
      "env": {
        "CORTEX_URL": "http://cortex.example.com:9001",
        "CORTEX_API_KEY": "your-org-admin-key",
        "CORTEX_SUPERADMIN_KEY": "your-superadmin-key"
      }
    }
  }
}

OpenClaw

Add to your openclaw.json:

{
  "mcp": {
    "servers": {
      "cortex": {
        "type": "stdio",
        "command": "node",
        "args": ["/path/to/cortex-mcp/dist/index.js"],
        "env": {
          "CORTEX_URL": "http://your-cortex:9001",
          "CORTEX_API_KEY": "your-api-key"
        }
      }
    }
  }
}

Standalone

export CORTEX_URL=http://cortex.example.com:9001
export CORTEX_API_KEY=your-org-admin-key
npm start

MCP Tools (31)

Status

| Tool | Description | |------|-------------| | cortex_get_status | Get Cortex instance health, version, and configuration |

Analyzer Tools

| Tool | Description | |------|-------------| | cortex_list_analyzers | List all enabled analyzers, optionally filtered by data type | | cortex_get_analyzer | Get details about a specific analyzer by ID | | cortex_run_analyzer | Submit an observable to a specific analyzer for analysis | | cortex_run_analyzer_by_name | Run an analyzer by name instead of ID (convenience wrapper) | | cortex_run_analyzer_file | Submit a file (from path or base64) to an analyzer for analysis |

Analyzer Definition Tools

| Tool | Description | |------|-------------| | cortex_list_analyzer_definitions | Browse all 260+ available analyzer definitions with filtering (by data type, free/no-config, search) | | cortex_enable_analyzer | Enable an analyzer definition in the current org with configuration | | cortex_disable_analyzer | Disable (remove) an enabled analyzer |

Job Tools

| Tool | Description | |------|-------------| | cortex_get_job | Get the status and details of an analysis job | | cortex_get_job_report | Get the full report of a completed analysis job | | cortex_wait_and_get_report | Wait for a job to complete and return the report | | cortex_list_jobs | List recent analysis jobs with optional filters | | cortex_get_job_artifacts | Get artifacts (extracted IOCs) from a completed job | | cortex_delete_job | Delete a specific job | | cortex_cleanup_jobs | Bulk delete jobs by status or age (with dry-run) |

Responder Tools

| Tool | Description | |------|-------------| | cortex_list_responders | List all enabled responders, optionally filtered by data type | | cortex_run_responder | Execute a responder action against a TheHive entity |

Responder Definition Tools

| Tool | Description | |------|-------------| | cortex_list_responder_definitions | Browse all 137+ available responder definitions with filtering | | cortex_enable_responder | Enable a responder definition with configuration | | cortex_disable_responder | Disable (remove) an enabled responder |

Bulk Operations

| Tool | Description | |------|-------------| | cortex_analyze_observable | Run ALL applicable analyzers with auto-detected data type and aggregated taxonomy results |

Organization Management (superadmin)

| Tool | Description | |------|-------------| | cortex_list_organizations | List all organizations | | cortex_get_organization | Get organization details | | cortex_create_organization | Create a new organization | | cortex_update_organization | Update organization description or status |

User Management (superadmin)

| Tool | Description | |------|-------------| | cortex_list_users | List all users across organizations | | cortex_get_user | Get user details | | cortex_create_user | Create a new user in an organization | | cortex_renew_user_key | Generate a new API key for a user (invalidates previous) | | cortex_get_user_key | Retrieve a user's current API key |

MCP Resources (4)

| URI | Description | |-----|-------------| | cortex://analyzers | Enabled analyzers with capabilities | | cortex://analyzer-definitions | All 260+ available analyzer definitions with config requirements | | cortex://responder-definitions | All 137+ available responder definitions with config requirements | | cortex://jobs/recent | Last 50 analysis jobs |

MCP Prompts (4)

| Prompt | Description | |--------|-------------| | analyze-observable | Guided workflow for analyzing an observable through Cortex | | investigate-ioc | Deep investigation workflow for a suspicious IOC | | setup-cortex | Guided setup wizard for fresh Cortex instances (enable free analyzers, configure API keys) | | triage-alert | Structured alert triage workflow with multi-observable analysis and risk assessment |

Examples

Set up analyzers from scratch

1. Use cortex_list_analyzer_definitions with freeOnly=true to find analyzers
   that need no API keys.
2. Use cortex_enable_analyzer to enable "Abuse_Finder_3_0" with empty config.
3. Use cortex_analyze_observable with data "8.8.8.8" to analyze the IP.

Auto-detect observable type

Use cortex_analyze_observable with data "185.220.101.42"
(no dataType needed - auto-detects as IP)

Clean up old failed jobs

Use cortex_cleanup_jobs with status "Failure", dryRun true to preview,
then dryRun false to delete.

Analyze a file

Use cortex_run_analyzer_file with analyzerId "Yara_3_0",
filePath "/tmp/suspicious.exe" to scan with YARA rules.

Manage API keys

Use cortex_renew_user_key with userId "analyst1" to rotate their API key.

Triage a security alert

Use the triage-alert prompt with alertDescription "Suspicious outbound traffic
detected" and observables "185.220.101.42, evil.example.com, 44d88612fea8a8f36de82e1278abb02f"

Supported Data Types

| Type | Examples | Auto-detected | |------|----------|---------------| | ip | 8.8.8.8, 2001:db8::1 | ✅ | | domain | example.com | ✅ | | url | https://malware.example.com/payload | ✅ | | hash | MD5, SHA1, SHA256, SHA512 | ✅ | | mail | [email protected] | ✅ | | fqdn | mail.example.com | As domain | | filename | malware.exe | Manual | | registry | HKLM\Software\Malware | Manual | | file | Binary file uploads | Manual | | other | CVEs, custom types | Manual |

Testing

npm test              # Unit tests (36 tests)
npm run test:watch    # Watch mode
npm run lint          # Type check

# Integration tests (requires live Cortex instance)
CORTEX_URL=http://cortex:9001 \
CORTEX_API_KEY=your-key \
CORTEX_SUPERADMIN_KEY=your-superadmin-key \
npx vitest run tests/integration.test.ts

Project Structure

cortex-mcp/
  src/
    index.ts                  # MCP server entry point
    config.ts                 # Environment config + validation
    client.ts                 # Cortex REST API client (full surface)
    types.ts                  # Cortex API type definitions
    resources.ts              # MCP resources (4)
    prompts.ts                # MCP prompts (2)
    tools/
      analyzers.ts            # Analyzer tools (list, get, run, run-by-name)
      analyzer-definitions.ts # Definition browsing, enable, disable
      jobs.ts                 # Job management + cleanup
      responders.ts           # Responder tools (list, run)
      responder-definitions.ts # Definition browsing, enable, disable
      bulk.ts                 # Bulk analysis with auto-detect
      status.ts               # Health/version check
      organizations.ts        # Org CRUD (superadmin)
      users.ts                # User CRUD + key management (superadmin)
  tests/
    client.test.ts            # API client unit tests
    tools.test.ts             # Tool handler unit tests
    integration.test.ts       # Live instance integration tests (21 tests)
  scripts/
    proxmox_install.sh        # Proxmox LXC deployment script

Deployment

Proxmox LXC

bash -c "$(wget -qLO - https://raw.githubusercontent.com/solomonneas/cortex-mcp/main/scripts/proxmox_install.sh)"

License

MIT