How to Use the Cortex XSIAM MCP in Claude

Q: How do I configure the Cortex XSIAM server in Claude Desktop?

Open your local claudedesktopconfig.json file and add the server configuration under the mcpServers key. Once you save and restart the app, the security tools will appear under the hammer icon.

Q: Can Claude Desktop run automated response playbooks?

Yes, the agent uses the executeplaybook tool to run existing playbooks directly from your chat window. You just need to provide the playbook name and any required arguments.

Q: How does the agent handle endpoint lookup?

It invokes getendpoints to retrieve a list of managed hosts and check their connection status. This lets you quickly pinpoint offline or unmanaged machines.

Investigate threat alerts and contain compromised hosts right inside Claude Desktop using direct Cortex XSIAM queries.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Cortex XSIAM MCP to Claude Desktop

Create your Vinkius account to connect Cortex XSIAM to Claude Desktop and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Cortex XSIAM with Claude Desktop

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Fast Incident Triage in Claude Desktop

This MCP Server connects your chat interface directly to your SOC queue so you can triage incidents without switching tabs. Your agent calls `get_incidents` to grab the latest high-severity issues, then pulls deep forensics with `get_incident_details` when you ask about a specific threat. You get immediate context on active threats during your morning review. Instead of digging through the web console, the agent parses raw JSON payloads into a clean timeline.

Direct Network Isolation via the MCP Server

Network containment tools like `isolate_endpoint` run directly from your chat bar when an active breach occurs. If your agent identifies a compromised machine during an investigation, you can immediately cut off its network access to stop lateral movement. Clean-up actions are just as straightforward to trigger. You can run malware checks using `scan_endpoint` or kick off automated remediation workflows with `execute_playbook` to reset passwords or block malicious IPs instantly.

Run XQL Queries via the MCP Server

Advanced threat hunting requires deep log analysis, which this MCP Server handles by exposing the `run_xql_query` tool to your agent. Your agent writes complex queries to search network logs, endpoint events, and system databases based on your natural language requests. Cross-referencing these custom logs with threat intelligence is simple. The agent pulls active indicator feeds using `get_indicators` to verify if the external IPs found in your XQL results are known malicious actors.

Setup guide

Set up Cortex XSIAM MCP in Claude Web or Desktop

1

Open Claude Settings

Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
2

Add Custom Connector

Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL: https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. For OAuth-protected servers, expand Advanced settings to add credentials.
3

Start a conversation

Open a new chat. The Cortex XSIAM MCP tools are available immediately — no restart needed.

Endpoint URL

https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

No configuration file needed — paste the URL directly in the Claude web interface.

Available on Free (1 connector), Pro, Max, Team, and Enterprise plans.

Prerequisites

Claude Desktop installed (macOS or Windows)
Active Vinkius subscription with a valid endpoint token

1

Open Claude Desktop Settings

Click the menu icon at the top-left corner, go to Settings → Developer → Edit Config. This opens claude_desktop_config.json in your default text editor.
2

Paste the Cortex XSIAM MCP configuration

Copy the JSON snippet on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Desktop

Close and reopen the application. Claude needs a full restart to load new MCPs — refreshing a conversation is not enough.
4

Verify the connection

Open a new conversation. Click the 🔌 icon at the bottom of the message input. You should see tools listed under cortex-xsiam-mcp.

json

{
  "mcpServers": {
    "cortex-xsiam-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Cortex XSIAM. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Cortex XSIAM now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Cortex XSIAM MCP in Claude Desktop

Open your local claude_desktop_config.json file and add the server configuration under the mcpServers key. Once you save and restart the app, the security tools will appear under the hammer icon.

Yes, the agent uses the `execute_playbook` tool to run existing playbooks directly from your chat window. You just need to provide the playbook name and any required arguments.

You can connect this server to the claude.ai web interface by adding it as a custom connector in your integration settings. This allows you to query security alerts from any browser without running a local MCP node.

It invokes `get_endpoints` to retrieve a list of managed hosts and check their connection status. This lets you quickly pinpoint offline or unmanaged machines.

Your raw security logs, endpoint details, and incident payloads remain inside your local environment or secure tenant. Vinkius runs the MCP Server in an isolated sandbox, meaning your API tokens and query results are never stored or read by third parties.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript