# Cortex XSIAM MCP

> Cortex XSIAM connects your AI agent to a full Security Operations Center (SOC) platform. It lets you investigate incidents, contain threats on endpoints, and automate complex response playbooks—all from conversation. Stop manually jumping between dashboards; get real-time alerts, indicators of compromise, and endpoint status right where you're working.

## Overview
- **Category:** other
- **Price:** Free

## Description

Dealing with a high-severity alert is a race against time. Instead of opening five different consoles to gather context, this MCP lets your AI agent handle the initial investigation. You can ask it to list all related security alerts or check if specific indicators are known threats. The system then gathers endpoint data and incident details automatically, feeding you only what matters. If you confirm a threat, you don't stop at reading; you tell the agent to run an automated response playbook. It handles everything from enriching compromised IPs to isolating endpoints—all orchestrated through your AI client. This capability means deep visibility into network activity and endpoint health without needing a security expert on standby.

## Tools

### execute_playbook
Runs an automated, defined incident response workflow using a playbook name and optional inputs.

### get_alerts
Lists all security alerts detected by Cortex XSIAM so you can review recent threat activity.

### get_endpoints
Retrieves a list of managed hosts and devices in the environment for asset auditing or targeting.

### get_incident_details
Pulls deep, specific information about a single security incident using its ID.

### get_incidents
Lists all active or historical security incidents in Cortex XSIAM for workload tracking and scoping.

### get_indicators
Checks the threat intelligence database to list known indicators of compromise (IOCs) related to a threat.

### isolate_endpoint
Immediately disconnects a compromised endpoint from the network using its unique ID.

### run_xql_query
Executes custom queries across logs and network data to perform advanced, targeted threat hunting.

### scan_endpoint
Triggers a malware scan (quick or deep) on a specific endpoint ID to verify its infection status after cleaning.

## Capabilities

### Manage Incidents
List all current security incidents, get full details on specific cases, or review recent detection rules firing.

### Control Endpoints
Check the status of managed hosts, scan for malware, and immediately isolate a compromised device from the network.

### Hunt Threats
Search raw logs across endpoints and networks using advanced queries, or list known indicators of compromise (IOCs).

### Automate Response
Execute predefined incident response playbooks to handle tasks like blocking IPs or resetting passwords automatically.

## Use Cases

### A suspicious IP address is seen in an alert.
The analyst prompts the agent: 'Check this IP and see if it's a known bad actor.' The agent first uses `get_indicators` to check threat feeds, then uses `run_xql_query` against network logs for that specific IP. The result is immediate confirmation or denial.

### A single user account shows unusual activity.
The agent gathers the full picture by calling `get_incidents` to list related cases, then uses `get_endpoints` to see which machines that user has logged into recently. This builds a scope of compromise much faster than clicking through dashboards.

### A machine is suspected of being infected.
The analyst first gets the endpoint ID using `get_endpoints`. Then, they ask the agent to run a deep scan via `scan_endpoint` and immediately follow up with `isolate_endpoint` if the results are positive.

### A known threat pattern emerges.
The team needs to replicate a response. Instead of manually running multiple steps, they trigger the predefined 'Malware Containment' playbook using `execute_playbook`, letting the system handle all the technical cleanup.

## Benefits

- Instead of manually running a query, you ask your agent to `run_xql_query` and receive filtered results for threat hunting. This saves hours of manual data sifting.
- You move past simple alerts. By using `get_incident_details`, the system provides all necessary context—who, what, and when—before you commit to an action.
- Need to stop lateral movement fast? You can isolate a machine instantly with `isolate_endpoint` based on AI analysis of initial findings.
- When dealing with repetitive tasks, use `execute_playbook`. It runs the entire response (enriching IOCs, blocking IPs) without you lifting a finger after setting it up once.
- You get a clear picture of your assets by listing endpoints using `get_endpoints`, which is essential before running any remediation actions like `scan_endpoint`.

## How It Works

The bottom line is that your AI client acts as the central nervous system, coordinating checks across multiple security tools so you don't have to.

1. Start by asking your agent to list recent security incidents or alerts using the available tools.
2. Tell the agent which endpoints or indicators need checking. It will gather current asset status and context for you.
3. Finally, instruct the agent to run a specific action, like isolating an endpoint or executing a predefined response playbook.

## Frequently Asked Questions

**How do I find out what happened after an alert using get_alerts? **
You first use `get_alerts` to see which rules fired. Then, you must run `run_xql_query` immediately afterward, filtering the query by the specific alert ID you found. This gives you the raw data behind the warning.

**Can I automate a full response using execute_playbook? **
Yes. `execute_playbook` runs complex workflows automatically. You just need to provide the playbook name and any required inputs, letting the MCP handle the multi-step actions.

**What do I use if an endpoint is infected? Should I use scan_endpoint or isolate_endpoint? **
It's a two-step process. First, run `scan_endpoint` to confirm the infection and get proof of life. Only after confirming the threat should you then call `isolate_endpoint` for containment.

**How can I check if an indicator is suspicious using get_indicators? **
You use `get_indicators` by providing a hash, IP, or domain. This tool checks known threat intelligence sources and tells you if the artifact has been marked as malicious.

**What's the proper way to structure a deep investigation query using `run_xql_query`?**
You need to specify your data sources and necessary filters within the XQL string. The tool returns structured results from logs, network traffic, and endpoint data, letting you correlate multiple events in one go.

**I'm setting up a new environment; how do I use `get_endpoints` to check my full device inventory?**
Running `get_endpoints` lists every managed host and device linked to your Cortex XSIAM. This helps you quickly audit coverage, ensuring no machines are offline or unmonitored.

**If I only have a general idea of a threat, how can I use `get_incident_details` for context?**
You must provide the specific incident ID to get details. This tool pulls deep information about that single event, giving you the full background needed before deciding on next steps.

**When tracking a high volume of alerts, how do I use `get_incidents` to focus only on critical cases?**
You can use parameters with `get_incidents` to sort and limit results. This lets you narrow down the list to specific severity levels or timeframes, managing analyst workload efficiently.