How to Use the Cortex XSIAM MCP in Cursor

Q: Can I run custom queries against Cortex XSIAM inside Cursor?

Yes, you can use the runxqlquery tool to execute custom Cortex Query Language queries. Your editor's agent will run the query and insert the raw logs directly into your open files.

Q: How does the agent retrieve active security alerts?

It invokes the getalerts tool to fetch a list of active detection rules. You can then ask the agent to write custom filters or alert-handling scripts based on those results.

Write custom security scripts and hunt threats in Cursor with real-time Cortex XSIAM endpoint and incident data.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Cortex XSIAM MCP to Cursor

Create your Vinkius account to connect Cortex XSIAM to Cursor and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Cortex XSIAM with Cursor

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Active Threat Hunting in Cursor

This MCP Server gives your editor direct access to your security data lake so you can write threat-hunting scripts against live telemetry. Your AI agent calls `run_xql_query` to pull real-time database logs and formats them directly into your active workspace. You don't have to write boilerplate parser code anymore. The agent analyzes the returned XQL data structures, matches them against `get_indicators` to flag malicious artifacts, and writes the detection logic on the fly.

Fast Incident Triage via the MCP Server

Security operations tools like `get_incidents` and `get_incident_details` let you investigate active threats without leaving your code. If a high-severity alert pops up, your agent pulls the full JSON payload directly into your sidebar. Developing custom dashboards or alert handlers becomes much faster when using this setup. You can feed live incident structures directly to your coding assistant, allowing it to build accurate React components or automation scripts based on actual schema definitions.

Automated Endpoint Defense Actions

Remediation actions are fully accessible to your editor through tools like `isolate_endpoint` and `scan_endpoint`. When you are testing response scripts, your agent can trigger these MCP tools to isolate test machines or run targeted malware scans. Executing complex response plans is handled by `execute_playbook`. This allows your agent to run multi-stage playbooks—like blocking an IP or resetting user credentials—directly from the chat interface while you monitor the code.

Setup guide

Set up Cortex XSIAM MCP in Cursor

Prerequisites

Cursor installed (macOS, Windows, or Linux)
Active Vinkius subscription with a valid endpoint token

1

Open MCP Settings

Go to Cursor Settings → MCP or open the Command Palette (Cmd+Shift+P / Ctrl+Shift+P) and search for "MCP: Add Server".
2

Add the Cortex XSIAM MCP

Cursor will create or open .cursor/mcp.json in your project root. Paste the JSON snippet on the right. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Enable Agent mode

Open Composer (Cmd+I / Ctrl+I) and switch to Agent mode using the dropdown at the top. MCP tools are only available in Agent mode.
4

Verify the connection

Ask Cursor something like "List my recent Cortex XSIAM transactions." If the MCP tools are loaded correctly, Cursor will call the Cortex XSIAM tools automatically. You can also check Settings → MCP for a green status indicator.

.cursor/mcp.json

{
  "mcpServers": {
    "cortex-xsiam-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Cortex XSIAM. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Cortex XSIAM now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Cortex XSIAM MCP in Cursor

Create an mcp.json file in your project's .cursor directory and define the server command. Once saved, enable Agent mode in your chat panel to start calling the security tools.

Yes, you can use the `run_xql_query` tool to execute custom Cortex Query Language queries. Your editor's agent will run the query and insert the raw logs directly into your open files.

You can isolate any compromised machine immediately by having the agent call the `isolate_endpoint` tool with the target host ID. This stops lateral movement while you inspect the threat code.

It invokes the `get_alerts` tool to fetch a list of active detection rules. You can then ask the agent to write custom filters or alert-handling scripts based on those results.

All endpoint metadata, query results, and incident logs are transmitted securely via encrypted channels. The Vinkius runtime sandbox ensures that your sensitive security telemetry is never cached or exposed to external models during MCP executions.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript