Cortex MCP Server

An MCP server that exposes Palo Alto Cortex XDR API capabilities to AI agents like Claude Desktop.

Managing a multi-tenant Cortex XDR deployment means constant context-switching: log into the console, filter endpoints, pull alerts, copy data, write the report. This server was built to cut that loop short — letting an AI agent query Cortex XDR directly, so analysts can focus on analysis, not navigation.

Available Tools

| Tool | Description | |------|-------------| | get_active_agents | List all currently connected and protected endpoints | | get_recent_alerts | Fetch alerts within a time window (default: last 24 hours) | | get_executive_summary | Summarize alert/incident counts and top-5 incident details for a given period |

Configuration

Create a .env file in the project root:

CORTEX_URL=https://api-your-tenant.xdr.us.paloaltonetworks.com
API_KEY=your_api_key_here
API_KEY_ID=your_api_key_id_here
USE_ENV_PROXY=false
REQUEST_TIMEOUT_SECONDS=30

Disclaimer

This server interacts directly with a production API. Apply the principle of least privilege when provisioning the API key used here.