Cortex XSIAM MCP for AI. Automate Incident Containment & Threat Response

Q: How do I find out what happened after an alert using getalerts?

You first use getalerts to see which rules fired. Then, you must run runxqlquery immediately afterward, filtering the query by the specific alert ID you found. This gives you the raw data behind the warning.

Q: Can I automate a full response using executeplaybook?

Yes. executeplaybook runs complex workflows automatically. You just need to provide the playbook name and any required inputs, letting the MCP handle the multi-step actions.

Q: What do I use if an endpoint is infected? Should I use scanendpoint or isolateendpoint?

It's a two-step process. First, run scanendpoint to confirm the infection and get proof of life. Only after confirming the threat should you then call isolateendpoint for containment.

Q: How can I check if an indicator is suspicious using getindicators?

You use getindicators by providing a hash, IP, or domain. This tool checks known threat intelligence sources and tells you if the artifact has been marked as malicious.

Q: I'm setting up a new environment; how do I use getendpoints to check my full device inventory?

Running getendpoints lists every managed host and device linked to your Cortex XSIAM. This helps you quickly audit coverage, ensuring no machines are offline or unmonitored.

Q: When tracking a high volume of alerts, how do I use getincidents to focus only on critical cases?

You can use parameters with getincidents to sort and limit results. This lets you narrow down the list to specific severity levels or timeframes, managing analyst workload efficiently.

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

Connect to your AI in seconds.

Cortex XSIAM connects your AI agent to a full Security Operations Center (SOC) platform. It lets you investigate incidents, contain threats on endpoints, and automate complex response playbooks—all from conversation.

Stop manually jumping between dashboards; get real-time alerts, indicators of compromise, and endpoint status right where you're working.

What your AI can do

Execute playbook

Runs an automated, defined incident response workflow using a playbook name and optional inputs.

Get alerts

Lists all security alerts detected by Cortex XSIAM so you can review recent threat activity.

Get endpoints

Retrieves a list of managed hosts and devices in the environment for asset auditing or targeting.

+ 6 more capabilities included

Manage Incidents

List all current security incidents, get full details on specific cases, or review recent detection rules firing.

Control Endpoints

Check the status of managed hosts, scan for malware, and immediately isolate a compromised device from the network.

Hunt Threats

Search raw logs across endpoints and networks using advanced queries, or list known indicators of compromise (IOCs).

Automate Response

Execute predefined incident response playbooks to handle tasks like blocking IPs or resetting passwords automatically.

Ask an AI about this

Cortex XSIAM MCP: 9 Tools for Security Operations

These nine tools allow your AI agent to manage the entire security lifecycle, from listing initial alerts to executing complex containment and remediation playbooks.

Make your AI actually useful.

Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.

Start using Cortex XSIAM on Vinkius

Execute Playbook

Runs an automated, defined incident response workflow using a playbook name and optional inputs.

Get Alerts

Lists all security alerts detected by Cortex XSIAM so you can review recent threat...

Get Endpoints

Retrieves a list of managed hosts and devices in the environment for asset auditing...

Get Incident Details

Pulls deep, specific information about a single security incident using its ID.

Get Incidents

Lists all active or historical security incidents in Cortex XSIAM for workload...

Get Indicators

Checks the threat intelligence database to list known indicators of compromise (IOCs) related to a threat.

Isolate Endpoint

Immediately disconnects a compromised endpoint from the network using its unique ID.

Run Xql Query

Executes custom queries across logs and network data to perform advanced, targeted...

Scan Endpoint

Triggers a malware scan (quick or deep) on a specific endpoint ID to verify its...

Security and governance baked right in.

Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.

Claude AI

Open Claude Settings

Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.

Add Custom Connector

Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:

https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. For OAuth-protected servers, expand Advanced settings to add credentials.

Start a conversation

Open a new chat. The Cortex XSIAM integration is available immediately — no restart needed.

Antigravity

Configure Agent Environment

Open your Antigravity agent's workspace configuration or mcp-servers.json file.

Bind the Endpoint

Add the Vinkius endpoint URL to your agent's MCP connections list:

"mcp_servers": {
  "cortex-xsiam": {
    "serverUrl": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
  }
}

Provide your secure token in place of [YOUR_TOKEN_HERE] to ensure your agent requests are authenticated.

Execute

Start your Antigravity session. The agent will autonomously discover and utilize the Cortex XSIAM tools with full Vinkius guardrails applied.

VS Code Copilot

⚡

One-Click Install (Recommended)

In your Vinkius Dashboard, simply click the Add to VS Code button for this server. We'll automatically configure your local workspace.

Or configure manually

Open MCP Settings

Open VS Code, press Ctrl/Cmd + Shift + P, and search for GitHub Copilot: MCP Servers.

Add Server Config

Add the Vinkius endpoint configuration to your mcp-servers.json file:

"cortex-xsiam": {
  "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
}

Ensure you replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com.

LangChain

Install Dependencies

Install the LangChain MCP adapters for your environment:

pip install langchain-mcp-adapters

Connect the Server

Use the SSEClient in LangChain to connect to the Vinkius managed endpoint:

from langchain_mcp_adapters.client import SSEClient

# Connect to Vinkius
client = SSEClient(url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp")
tools = client.get_tools()

CrewAI

Define the Tool

Load the Vinkius MCP tools into your CrewAI agents:

from crewai import Agent
from mcp_crewai import MCPTool

# Connect securely to Vinkius
vinkius_tools = MCPTool(url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp")

# Assign to Agent
researcher = Agent(
    role='Data Researcher',
    tools=vinkius_tools.get_all()
)

Execute Task

Run your CrewAI process. The agent will autonomously route tasks to the Vinkius managed server.

Choose How to Get Started

Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.

Build Your Own

Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.

Import from OpenAPI, Swagger, or YAML specs
Create Agent Skills with progressive disclosure
Deploy to edge with MCPFusion framework
Built in DLP, auth, and compliance on every call
Real time usage dashboard and cost metering
Publish to catalog or keep private

Start building

Make Your AI Do More

Start with Cortex XSIAM, then connect any of our 5,100+ other servers whenever your AI needs more. One click, no limits.

Use this MCP plus 5,100+ others, all in one place
Add new capabilities to your AI anytime you want
Every connection is secured and compliant automatically
Track usage and costs across all your servers
Works with Claude, ChatGPT, Cursor, and more
New servers added to the catalog every week

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Cortex XSIAM. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

VINKIUS INFRASTRUCTURE

Cloud Hosted

Managed infra

V8 Isolated

Sandboxed per request

Zero-Trust Proxy

No stored credentials

DLP Enforced

Policy on every call

GDPR Compliant

EU data residency

Token Compression

~60% cost reduction

Your data is protected. See how we built it.

Works with Claude, ChatGPT, Cursor, and more

The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.

This connection provides 9 powerful capabilities that interface natively with Claude, ChatGPT, Cursor, and other compatible AI platforms. No middleware. No custom integration required.

The Messy Process of Incident Triage Today

Right. So, when a high-severity alert pops up, what happens? You open the dashboard, grab an IP address from one panel, copy it into another tool to check threat feeds, then you jump over to the asset inventory console just to find the affected host ID. It’s a cycle of clicking, copying, and cross-referencing dozens of separate tabs.

With this MCP, that manual handoff disappears. You tell your agent what happened in one prompt. It pulls together the incident context, checks the indicators, finds the impacted endpoints, and presents you with a single, unified view—no copy-pasting required.

Automating Containment with Cortex XSIAM

The manual steps that vanish are: 1) Finding the endpoint ID from a list of alerts. 2) Logging into the isolation console. 3) Manually executing the quarantine command. All those friction points disappear.

You don't just get data; you execute policy. You confirm the threat, and with one prompt, your agent performs the containment action using `isolate_endpoint`. It’s immediate, auditable, and drastically faster.

Support 24/7 support@vinkius.com ↗

Security Vinkius Trust Center ↗

SLA Service Level Agreement ↗

Report Listing Send Report ↗

What your AI can actually do with this

Dealing with a high-severity alert is a race against time. Instead of opening five different consoles to gather context, this MCP lets your AI agent handle the initial investigation. You can ask it to list all related security alerts or check if specific indicators are known threats. The system then gathers endpoint data and incident details automatically, feeding you only what matters.

If you confirm a threat, you don't stop at reading; you tell the agent to run an automated response playbook. It handles everything from enriching compromised IPs to isolating endpoints—all orchestrated through your AI client. This capability means deep visibility into network activity and endpoint health without needing a security expert on standby.

Built · Hosted · Managed by Vinkius Cortex XSIAM MCP - Automate Security Incident Response

Server ID 019d757c-f778-72e7-9b7d-89d68bc4c236

Vinkius Inspector

Compliance Grade A+

Score 100/100

Report View Report ↗

Who is this actually for?

This is for the SOC Analyst who gets tired of dashboard fatigue at 2 AM. It's for the Incident Responder who needs immediate containment options, and the Security Engineer building automated playbooks that need real-world data feeds.

SOC Tier II Analyst

They use this MCP to triage high-priority alerts by running get_alerts followed by run_xql_query to confirm the scope and source of a threat.

Incident Responder (IR)

Needs quick, actionable commands. They use this MCP to gather context with get_incident_details and execute containment measures like isolate_endpoint immediately.

Security Engineer

Builds automated workflows using execute_playbook, ensuring that complex, multi-step responses happen consistently every time an alert fires.

What Changes When You Connect

Instead of manually running a query, you ask your agent to run_xql_query and receive filtered results for threat hunting. This saves hours of manual data sifting.

You move past simple alerts. By using get_incident_details, the system provides all necessary context—who, what, and when—before you commit to an action.

Need to stop lateral movement fast? You can isolate a machine instantly with isolate_endpoint based on AI analysis of initial findings.

When dealing with repetitive tasks, use execute_playbook. It runs the entire response (enriching IOCs, blocking IPs) without you lifting a finger after setting it up once.

You get a clear picture of your assets by listing endpoints using get_endpoints, which is essential before running any remediation actions like scan_endpoint.

See it in action

01 01

A suspicious IP address is seen in an alert.

The analyst prompts the agent: 'Check this IP and see if it's a known bad actor.' The agent first uses get_indicators to check threat feeds, then uses run_xql_query against network logs for that specific IP. The result is immediate confirmation or denial.

02 02

A single user account shows unusual activity.

The agent gathers the full picture by calling get_incidents to list related cases, then uses get_endpoints to see which machines that user has logged into recently. This builds a scope of compromise much faster than clicking through dashboards.

03 03

A machine is suspected of being infected.

The analyst first gets the endpoint ID using get_endpoints. Then, they ask the agent to run a deep scan via scan_endpoint and immediately follow up with isolate_endpoint if the results are positive.

04 04

A known threat pattern emerges.

The team needs to replicate a response. Instead of manually running multiple steps, they trigger the predefined 'Malware Containment' playbook using execute_playbook, letting the system handle all the technical cleanup.

The honest tradeoffs

Over-relying on surface data

Anti-pattern

The analyst just reviews a list of alerts from get_alerts and assumes every alert requires manual investigation, wasting hours checking false positives.

The Fix

First, use get_incidents to scope the problem. Then, instruct your agent to run run_xql_query against those limited results. This focuses deep investigation only on high-fidelity, correlated data.

Ignoring endpoint context

Anti-pattern

Running a cleanup playbook without first verifying the affected assets by running get_endpoints. You might accidentally target or miss critical machines.

The Fix

Always start by listing your managed endpoints using get_endpoints. Use this list to confirm that all necessary hosts are in scope before triggering any containment action.

Jumping straight to isolation

Anti-pattern

The instinct is to hit 'Isolate' as soon as an alert fires. This risks disrupting critical business processes because you haven't confirmed the threat yet.

The Fix

Before running isolate_endpoint, confirm the severity and indicators first. Use get_indicators and get_incident_details to build a case, making sure isolation is a confirmed last step.

When It Fits, When It Doesn't

Use this MCP if your core problem is orchestrating complex actions across multiple security tools—it's built for the Incident Response playbook. You need to correlate an alert with endpoint data and then run an automated fix. Don't use it if you just need to search a single log source; in that case, a dedicated query tool might be better. Also, don't assume this handles identity management alone; while it can reset passwords via playbooks, for pure user lifecycle management, look at specialized Identity Access Management tools instead. This MCP shines when the investigation requires moving from context gathering (get_incidents, get_alerts) to targeted action (isolate_endpoint, execute_playbook).

Questions you might have

How do I find out what happened after an alert using get_alerts? +

You first use get_alerts to see which rules fired. Then, you must run run_xql_query immediately afterward, filtering the query by the specific alert ID you found. This gives you the raw data behind the warning.

Can I automate a full response using execute_playbook? +

Yes. execute_playbook runs complex workflows automatically. You just need to provide the playbook name and any required inputs, letting the MCP handle the multi-step actions.

What do I use if an endpoint is infected? Should I use scan_endpoint or isolate_endpoint? +

It's a two-step process. First, run scan_endpoint to confirm the infection and get proof of life. Only after confirming the threat should you then call isolate_endpoint for containment.

How can I check if an indicator is suspicious using get_indicators? +

You use get_indicators by providing a hash, IP, or domain. This tool checks known threat intelligence sources and tells you if the artifact has been marked as malicious.

What's the proper way to structure a deep investigation query using `run_xql_query`? +

You need to specify your data sources and necessary filters within the XQL string. The tool returns structured results from logs, network traffic, and endpoint data, letting you correlate multiple events in one go.

I'm setting up a new environment; how do I use `get_endpoints` to check my full device inventory? +

Running get_endpoints lists every managed host and device linked to your Cortex XSIAM. This helps you quickly audit coverage, ensuring no machines are offline or unmonitored.

If I only have a general idea of a threat, how can I use `get_incident_details` for context? +

You must provide the specific incident ID to get details. This tool pulls deep information about that single event, giving you the full background needed before deciding on next steps.

When tracking a high volume of alerts, how do I use `get_incidents` to focus only on critical cases? +

You can use parameters with get_incidents to sort and limit results. This lets you narrow down the list to specific severity levels or timeframes, managing analyst workload efficiently.

Connect to your AI in seconds.

Execute playbook

Get alerts

Get endpoints

Cortex XSIAM MCP: 9 Tools for Security Operations

Make your AI actually useful.

Execute Playbook

Get Alerts

Get Endpoints

Get Incident Details

Get Incidents

Get Indicators

Isolate Endpoint

Run Xql Query

Scan Endpoint

Security and governance baked right in.

Claude AI

Open Claude Settings

Add Custom Connector

Start a conversation

Claude Code

Open your terminal

Add the MCP Server

Start coding

Cursor

One-Click Install (Recommended)

Open Cursor Settings

Add New Server

Use in Composer

Antigravity

Configure Agent Environment

Bind the Endpoint

Execute

VS Code Copilot

One-Click Install (Recommended)

Open MCP Settings

Add Server Config

Windsurf

One-Click Install (Recommended)

Open Windsurf Settings

Add Server Endpoint

LangChain

Install Dependencies

Connect the Server

CrewAI

Define the Tool

Execute Task

Choose How to Get Started

Build Your Own

Make Your AI Do More

Works with Claude, ChatGPT, Cursor, and more

The Messy Process of Incident Triage Today

Automating Containment with Cortex XSIAM

What your AI can actually do with this

Here's how it actually works

Who is this actually for?

What Changes When You Connect

See it in action

A suspicious IP address is seen in an alert.

A single user account shows unusual activity.

A machine is suspected of being infected.

A known threat pattern emerges.

The honest tradeoffs

Over-relying on surface data

Ignoring endpoint context

Jumping straight to isolation

When It Fits, When It Doesn't

Questions you might have