How to Use the Cortex XSIAM MCP in Claude Code

Q: How do I run Cortex XSIAM playbooks from Claude Code?

You instruct the CLI to execute executeplaybook with your chosen playbook name and arguments. Claude Code triggers the automation and outputs the execution logs directly to your terminal.

Q: How do I add the Cortex XSIAM MCP Server to Claude Code?

Run claude mcp add --transport http cortex-xsiam -- in your terminal. This registers the server in your /.claude.json configuration file.

Pipe Cortex XSIAM security telemetry and XQL query results directly into your terminal with Claude Code.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Cortex XSIAM MCP to Claude Code

Create your Vinkius account to connect Cortex XSIAM to Claude Code and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Cortex XSIAM with Claude Code

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Execute raw XQL threat hunts from the command line

`run_xql_query` runs raw Cortex Query Language queries against your log repositories, returning raw security events directly to your shell. Claude Code lets you pipe these query results into standard Unix utilities like grep, jq, or awk for rapid parsing. You don't need a heavy browser interface to hunt for active threats. You type your search criteria in plain English, and the CLI translates it into a precise XQL query, executes it, and formats the output.

Triage incidents and isolate hosts via Claude Code

`get_incidents` lists active security incidents in your SOC queue, allowing you to filter by severity or analyst workload from your terminal. When you spot a critical compromise, you run `isolate_endpoint` through this MCP Server to instantly cut off the infected host. This terminal-first approach cuts down response times to seconds. You can query incident details using `get_incident_details` and trigger a cleanup scan with `scan_endpoint` using fast, sequential commands.

Audit indicators of compromise from your terminal

`get_indicators` pulls known-bad IPs, domains, and file hashes from your threat intelligence database. Claude Code uses this tool to check local server logs or deployment files against live threat feeds. You can script this audit to run as a pre-deployment check or a cron job. The MCP Server acts as a bridge, allowing your terminal agent to verify your infrastructure's safety before pushing code live.

Setup guide

Set up Cortex XSIAM MCP in Claude Code

Prerequisites

Claude Code CLI installed (npm install -g @anthropic-ai/claude-code)
Active Vinkius subscription with a valid endpoint token

1

Run the add command

Open your terminal and run the command shown on the right. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com. Use --scope user to make it available across all projects.
2

Verify the connection

Start a Claude Code session and type /mcp to list connected servers. You should see cortex-xsiam-mcp with a green status indicator.
3

Start using tools

Ask Claude Code something like "Check my latest Cortex XSIAM transactions." It will automatically discover and invoke the available Cortex XSIAM tools.

Terminal

claude mcp add --transport http cortex-xsiam-mcp https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Get your connection token →

Prerequisites

Claude Code CLI installed
Active Vinkius subscription with a valid endpoint token

1

Open the config file

Create or edit .mcp.json in your project root for project-level scope, or ~/.claude.json for user-level scope.
2

Add the Cortex XSIAM MCP

Paste the JSON snippet shown on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Code

Start a new Claude Code session. Type /mcp to confirm the server is connected. The tools will be automatically available in your conversation.

.mcp.json

{
  "mcpServers": {
    "cortex-xsiam-mcp": {
      "type": "url",
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Cortex XSIAM. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Cortex XSIAM now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Cortex XSIAM MCP in Claude Code

You instruct the CLI to execute `execute_playbook` with your chosen playbook name and arguments. Claude Code triggers the automation and outputs the execution logs directly to your terminal.

Yes. Because Claude Code is a headless CLI, you can script it to run `run_xql_query` and check for indicators of compromise during automated deployment stages.

Run `claude mcp add --transport http cortex-xsiam -- ` in your terminal. This registers the server in your `~/.claude.json` configuration file.

Yes. You can tell the CLI to loop through a list of host IDs from `get_endpoints` and trigger `scan_endpoint` on each one sequentially.

All API payloads, including XQL queries, indicator lists, and playbook parameters, run through a secure, isolated V8 sandbox. Your credentials and security data are never cached on external servers.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript