Cortex XSIAM MCP. Manage incidents and contain endpoints from your AI agent.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Cortex XSIAM MCP Server connects your AI client to Cortex XSIAM. It lets you run security playbooks, get alerts, list endpoints, and hunt for threats directly through natural conversation.
You can isolate compromised hosts or execute custom queries without leaving your chat window. It's your AI agent's hands-on SOC console.
What your AI agents can do
Execute playbook
Runs a pre-built, automated response playbook in Cortex XSIAM.
Get alerts
Lists all security alerts detected by Cortex XSIAM.
Get endpoints
Lists all managed hosts and devices in Cortex XSIAM.
List all security incidents or get deep context on a single incident using get_incidents and get_incident_details.
List managed hosts with get_endpoints or trigger a malware scan (scan_endpoint) and network isolation (isolate_endpoint) on specific assets.
Run complex, custom queries using run_xql_query to correlate indicators, logs, and endpoint data.
Execute automated playbooks with execute_playbook or manually isolate a host using isolate_endpoint.
Check known malicious artifacts or suspicious IPs using get_indicators.
Ask AI about this MCP
Supported MCP Clients
Gemini Cortex XSIAM MCP Server: 9 Tools for Incident Response
Orchestrate security workflows, run threat hunts, and manage assets by calling these nine specific tools from your AI agent.
019d757cexecute playbook
Runs a pre-built, automated response playbook in Cortex XSIAM.
019d757cget alerts
Lists all security alerts detected by Cortex XSIAM.
019d757cget endpoints
Lists all managed hosts and devices in Cortex XSIAM.
019d757cget incident details
Gets detailed information about a specific security incident using its ID.
019d757cget incidents
Lists all security incidents in Cortex XSIAM.
019d757cget indicators
Lists known Indicators of Compromise (IOCs) tracked in Cortex XSIAM.
019d757cisolate endpoint
Immediately disconnects a specified endpoint from the network.
019d757crun xql query
Runs a custom Cortex Query Language (XQL) query for advanced threat hunting.
019d757cscan endpoint
Triggers a malware scan on a specific endpoint.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Cortex XSIAM, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
This server hands your AI agent the whole damn console for Cortex XSIAM. You're done clicking through a dozen dashboards just to get intel or take action. Your agent uses specific tools to pull data and make moves right from the chat. You'll automate incident response playbooks, check threat intel, and manage every endpoint without leaving your chat.
To review security incidents, your agent can list all current security incidents using get_incidents, or dig deep into one specific event with get_incident_details.
To manage endpoints, you can list all managed hosts and devices using get_endpoints. You can also kick off a malware scan on a specific asset with scan_endpoint, or immediately disconnect a compromised host from the network using isolate_endpoint.
When you need to execute threat queries, your agent runs complex, custom queries using run_xql_query to correlate indicators, logs, and endpoint data.
To respond to threats, you can kick off an automated incident response playbook with execute_playbook or manually isolate a host using isolate_endpoint.
To gather intelligence, check known malicious artifacts or suspicious IPs by listing indicators with get_indicators. You can also review all security alerts detected by Cortex XSIAM by calling get_alerts.
How Cortex XSIAM MCP Works
- 1 Start by calling
get_alertsorget_incidentsto define the scope of the issue. - 2 Next, use
get_endpointsto map the assets involved, and then runrun_xql_queryto correlate indicators against those specific hosts. - 3 Finally, if confirmed, execute
isolate_endpointorexecute_playbookto contain the threat.
The bottom line is: you automate the entire investigation and response process, turning manual dashboard clicks into simple, actionable agent commands.
Who Is Cortex XSIAM MCP For?
The SOC analyst who wakes up at 2 AM needing to triage a high-severity alert across dozens of machines. You're tired of clicking through dashboards, switching tabs, and manually copy-pasting data into spreadsheets. This lets you run complex investigation steps and containment actions—all from your chat agent.
Uses get_alerts and get_incidents to define the scope, then uses get_incident_details to gather context before running run_xql_query against the evidence.
Focuses on containment, using isolate_endpoint and execute_playbook immediately upon confirming a threat to limit damage.
Runs custom run_xql_query searches across all endpoints and logs to find threats that don't trigger standard alerts.
What Changes When You Connect
- Contain damage fast. Use
isolate_endpointto cut off a compromised host immediately. This prevents lateral movement and keeps the threat contained until the team can properly clean it. - Speed up response. Instead of manually running steps,
execute_playbookruns a full, automated playbook, ensuring every required step—like enriching IOCs or resetting a password—happens consistently. - Full visibility. Use
get_incidentsandget_alertsto list all active events. You see the full queue and the raw detection rules firing, giving you a clear picture of the current threat landscape. - Deep investigation. When an alert hits, use
get_incident_detailsto pull all context for that specific incident. You get the full timeline and related data without switching tabs. - Advanced hunting. Don't just react. Use
run_xql_queryto write custom searches across logs and endpoints, finding subtle threats that standard alerts miss. - Asset mapping. Use
get_endpointsto get a complete list of every managed device. This is critical for defining the full scope of any investigation.
Real-World Use Cases
Triage an Unknown Outbreak
An alert hits about weird network activity. You ask your agent to check the situation. The agent first runs get_incidents to see the scope, then get_endpoints to list all involved hosts. Finally, it runs run_xql_query to check for known bad indicators against all those endpoints. You confirm the threat source and know exactly where to apply isolate_endpoint.
Investigating a Suspicious File
You receive an alert about a weird file hash. You ask your agent to check it. It uses get_indicators to see if the hash is known bad. If it is, the agent pulls up get_incident_details to see how it entered the network, and then runs scan_endpoint on the suspected machine.
Handling a Ransomware Event
Ransomware is detected on a critical server. You tell your agent to contain it. The agent immediately uses isolate_endpoint on the machine, then runs execute_playbook to run the official response playbook, which handles everything from blocking IPs to resetting credentials.
Compliance Audit Prep
You need to prove coverage for an audit. You ask your agent to list all managed assets. The agent runs get_endpoints to confirm every device is tracked, and then uses run_xql_query to pull logs proving compliance for a specific time range.
The Tradeoffs
Manual Dashboard Jumping
Opening the alerts dashboard, copying an IP address, switching to the indicators page, pasting the IP, then going to the endpoints page to check that IP's status. This takes 10 minutes and involves 5 different tabs.
→
Ask your agent to run get_alerts first. Then, chain the results into get_indicators and finally use run_xql_query to correlate the data. Keep it in one conversation.
Over-relying on GUI Filters
Using the web UI's date range picker and trying to manually filter out false positives. You miss the root cause because the UI doesn't allow complex joins between asset data and alert logs.
→
Use run_xql_query with specific XQL syntax. This lets you build complex, multi-source queries that correlate indicators, endpoints, and logs in a single, powerful query.
Ignoring Containment Steps
Seeing an alert and just writing 'Investigate this.' You waste time gathering context when you should be acting immediately to prevent further damage.
→
First, use get_incident_details to confirm the severity. If it's high, immediately run isolate_endpoint on the target host before doing anything else. Contain first, investigate second.
When It Fits, When It Doesn't
Use this if your goal is structured, actionable response: You need to move beyond reading reports and actually do something—like isolating a host or running a playbook. The server is perfect for Incident Responders and Threat Hunters who need to chain multiple actions (e.g., get_alerts -> get_incident_details -> run_xql_query).
Don't use this if you just need a simple view: If you only need a list of assets, a simple asset management tool might suffice. If you only need to view historical logs, a pure SIEM dashboard might be enough. The strength here is the ability to connect the 'what happened' (alerts/incidents) to the 'who/what is affected' (endpoints/indicators) and then immediately execute the 'fix' (isolate_endpoint/execute_playbook).
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Cortex XSIAM. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 9 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Triage shouldn't involve jumping between five different dashboards.
Today, when a critical alert drops, you open the dashboard. You copy the IP address into a text file. You jump to the threat intelligence page, paste the IP, and wait. Then you switch to the asset management section, search for that IP, and cross-reference the data. You spend 15 minutes just gathering context.
With the Cortex XSIAM MCP Server, you just tell your agent to check the alert. It automatically runs the necessary checks: it pulls the incident details, cross-references the IP using `get_indicators`, and lists the affected assets using `get_endpoints`. You get the full context, instantly.
Cortex XSIAM MCP Server: Run incident playbooks and queries.
The manual process for response is a nightmare: you check the alert, decide on a mitigation, then run the blocking script in one tool, and then manually update the status in another. It's slow, and every step requires manual input.
Now, you ask your agent to run the playbook. It executes `execute_playbook`—the entire, vetted response workflow happens in one go. You get the result, and you're done. No manual steps, no errors.
Common Questions About Cortex XSIAM MCP
How do I use `run_xql_query` with Cortex XSIAM MCP Server? +
You provide the agent with the valid XQL query string. The server executes it and returns the structured results, allowing you to hunt for threats across logs, endpoints, and network data.
Can I use `isolate_endpoint` multiple times with Cortex XSIAM MCP Server? +
Yes. You must provide the specific endpoint ID for each isolation command. This lets you systematically contain multiple compromised hosts one by one.
What is the difference between `get_alerts` and `get_incidents`? +
Alerts (get_alerts) are raw detections when a rule fires. Incidents (get_incidents) are grouped, curated events that analysts have already reviewed and assigned severity to.
Do I need to manually run `get_indicators` before using `run_xql_query`? +
No. You can feed indicators directly into the XQL query string within run_xql_query. The agent handles the correlation for you.
Does `execute_playbook` handle all remediation steps? +
The playbook definition handles the steps. It executes a pre-defined workflow, which might include blocking IPs, resetting passwords, and enriching IOCs. You just trigger it.
How do I use `get_endpoints` to check host status for an investigation? +
It lists all managed endpoints (hosts/devices) in Cortex XSIAM. You can then select a specific endpoint ID to check its status, or use scan_endpoint to trigger a targeted scan.
What should I do if `execute_playbook` fails or returns an error? +
The tool provides specific error codes and failure reasons. You should check the playbook logs using the returned data to determine if the failure was due to bad input or a system issue.
Does `get_incident_details` require me to know the incident ID beforehand? +
Yes, it requires the incident ID. You must provide this ID to get detailed information about a specific security incident.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
X Ads (Twitter)
Manage your X Ads campaigns — audit accounts, line items, and analytics via AI.
Anthropic Alternative
Access Claude models via Anthropic API — send messages, count tokens, manage batches and discover models from any AI agent.
Tesla Fleet API
Physical actuator proxy mapping explicitly native commands evaluating telemetry tracking active Tesla vehicles cleanly.
You might also like
Yu-Gi-Oh
Access the ultimate Yu-Gi-Oh! database — search for cards, explore archetypes, and check set lists directly from your AI agent.
Flotiq
Manage headless content via Flotiq — create and search content objects, handle media assets, audit schemas, and track tenant limits directly from any AI agent.
Namsor
Automate name analytics via Namsor — predict gender, origin, and ethnicity directly from any AI agent.