Palo Alto Networks MCP server
Triage Cortex XSIAM incidents and run XQL queries from your AI agents.
About
Connect Tracecat to Palo Alto Networks to ground an AI SOC analyst in the same APIs the Cortex UI uses for XSIAM and Cortex XDR investigations. You can pull an alert, triage the incident, and run an XQL query against the data lake from a workflow. From there, isolate a Cortex XDR endpoint, update incident status, and add a comment with the evidence the agent gathered, all scoped to a least-privilege custom role inside your XSIAM tenant.
Setup
- 1
Create an API key
The Cortex MCP server authenticates with a Cortex XSIAM API key and key ID, scoped to a role inside your XSIAM tenant. Tokens carry the role's permissions, so create the key under a least-privilege custom role.
- 2
Select the
Palo Alto Networkstile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select thePalo Alto Networkstile, and paste your API key. - 3
Enable
Palo Alto Networksin your agentIn your
ai.agentaction orAgents→toolstab, selectPalo Alto Networksfrom theMCP integrationsdropdown.
Tools
get_incident | Retrieve a Cortex XSIAM incident with alerts, key artifacts, and assignee. |
list_incidents | List XSIAM incidents filtered by status, severity, and time range. |
update_incident | Update incident status, severity, assignment, or notes. |
run_xql_query | Execute an XQL query against XSIAM data lake and return tabular results. |
get_endpoint | Fetch endpoint details from Cortex XDR or XSIAM by host or agent ID. |
isolate_endpoint | Isolate a Cortex XDR endpoint as part of an incident response runbook. |
list_alerts | List alerts with filters for source, severity, MITRE technique, and time. |
add_incident_comment | Add an analyst or agent comment to an XSIAM incident for traceability. |