Generate an API key in Cortex XSOAR under Settings > Integrations > API Keys and note your server URL.
Create an incident (which triggers the associated playbook) with POST {server-url}/incident, supplying a JSON body with name, type (matching a configured incident type), severity, and any custom labels or details fields.
Retrieve the incident and its current playbook execution state with GET {server-url}/incident/{incidentId} and inspect the playbookId and status fields.
Poll playbook task status with GET {server-url}/inv-playbook/{incidentId} to inspect individual task states and determine whether manual intervention is needed.
Close the incident programmatically with POST {server-url}/incident/close once remediation is confirmed, supplying closeReason and closeNotes.
Known gotchas
The incident type in the POST body must exactly match a type configured in XSOAR; an unrecognised type causes the incident to be created with no playbook attached.
XSOAR 8.x (the cloud/hosted version) uses a different authentication header than XSOAR 6.x on-prem; confirm whether to use x-xdr-auth-id plus x-xdr-nonce plus x-xdr-timestamp (XSOAR 8) or a simple Authorization: YOUR_API_KEY header (XSOAR 6).
Playbook execution is asynchronous; polling too aggressively (sub-second) against large playbooks can trigger rate limiting; implement exponential back-off.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp