Argus Event Search Translator MCP Tools#

These tools help the LLM express event-related search intent as valid Argus query JSON before execution.

They support:

  • building event search criteria and a shareable Argus portal search link

  • building event statistics criteria for counts, grouped buckets, and time-based timelines

  • looking up valid event flags, endpoint flags, and event search sort values

General Notes#

  • Use these tools when you want the LLM to prepare a valid event search or event statistics query from plain-language intent.

  • If the request involves event flags, endpoint flags, or event search sorting, the LLM can resolve allowed values with the list tools behind the scenes.

  • Allowed event flag, endpoint flag, and sort values are case-sensitive.

  • Search translation returns criteria plus a shareable link. Statistics translation returns only the statistics criteria.

  • If you want live Argus results after translation, the LLM can use the corresponding Event REST MCP tool with the same search or statistics intent.

  • Event statistics requests need at least one output instruction: statistics.groupBy or statistics.timeRangeMetrics.

Tool: generateArgusEventSearchQuery#

Purpose

Generate an Argus event search query from event-search intent. The result contains:

  • searchCriteria: generated Event V2 search JSON

  • searchLink: shareable Argus portal link for the same search

Arguments

Field

Description

Type

Default

Required

request

Event search definition the LLM builds from the request.

object

None

Yes

includeProperties

Whether event properties should be included when searching and fetching results.

boolean

false

Yes

request Fields#

Field

Description

Type

Default

Required

associateCaseID

Match events associated with any of these case IDs. 0 means events with no associated case.

array<number>

None

No

attack

Attack-related criteria. Each item is one criterion.

array<object>

None

No

customer

Match events belonging to any customer ID or short name.

array<string>

None

No

domainName

Match events with any of these domain names.

array<string>

None

No

endpoint

Endpoint-related criteria for source or destination endpoints.

array<object>

None

No

severity

Match event severity. Allowed values: low, medium, high, critical.

array<string>

None

No

eventIdentifier

Match specific event identifiers.

array<string>

None

No

type

Match event type. Allowed values: aggregated, raw.

array<string>

None

No

timeFilter

Time-based narrowing for the event search.

object

{ "timeField": ["created"], "startTime": "startOfDay", "endTime": "now", "timeMatchStrategy": "any" }

No

includeEventFlag

Event flags that matching events must contain. The LLM can look up allowed values.

array<string>

None

No

excludeEventFlag

Event flags that matching events must not contain. The LLM can look up allowed values.

array<string>

None

No

property

Event property criteria.

array<object>

None

No

page

Pagination settings.

object

{ "limit": 25, "offset": 0 }

No

sortBy

Search result sort order. Use list order as priority. Prefix with - for descending. The LLM can look up allowed sort values.

array<string>

None

No

request.attack[] Fields#

Field

Description

Type

Default

Required

alarm

Match events triggered by any of these alarms, using alarm ID or short name.

array<string>

None

No

attackCategory

Match events in any of these attack categories, using ID or short name.

array<string>

None

No

signature

Match events triggered by any of these security signatures.

array<string>

None

No

exclude

Negate this attack criterion.

boolean

false

No

required

Require this criterion to match together with other criteria.

boolean

true

No

request.endpoint[] Fields#

Field

Description

Type

Default

Required

countryCode

Match endpoint country codes.

array<string>

None

No

endpointFieldStrategy

Which endpoint side to search. Allowed values: source, destination, all.

string

all

No

ip

Match endpoint IPs or CIDR networks. Supports IPv4, IPv6, and CIDR notation.

array<string>

None

No

minMaskBits

Minimum CIDR prefix length to match. Useful to exclude broad subnets.

number

None

No

port

Match endpoint ports.

array<number>

None

No

includeEndpointFlag

Endpoint flags that must be present. The LLM can look up allowed values.

array<string>

None

No

excludeEndpointFlag

Endpoint flags that must not be present. The LLM can look up allowed values.

array<string>

None

No

exclude

Negate this endpoint criterion.

boolean

false

No

required

Require this endpoint criterion to match together with other criteria.

boolean

false

No

request.timeFilter Fields#

Field

Description

Type

Default

Required

timeField

Event time fields the range applies to. Allowed values: created, lastUpdated, firstAssessment, enginePersisted, firstEvent, lastEvent, published, all.

array<string>

["created"]

No

startTime

Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as startOfDay - 1 day.

string

startOfDay

No

endTime

End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as now.

string

now

No

timeMatchStrategy

How to evaluate multiple timeField values. Allowed values: any, all.

string

any

No

request.property[] Fields#

Field

Description

Type

Default

Required

key

Property key to match.

string

None

Yes

value

Property values to match against the key.

array<string>

None

Yes

valueMatchStrategy

How to combine multiple values. Allowed values: any, all.

string

any

No

valueSearchStrategy

How to compare each value. Allowed values: tokenized, exact.

string

exact

No

exclude

Negate this property criterion.

boolean

false

No

required

Require this property criterion to match together with other criteria.

boolean

false

No

request.page Fields#

Field

Description

Type

Default

Required

limit

Maximum number of items per page. Accepted range: 1 to 100.

number

25

No

offset

Number of items to skip before returning results. Must be 0 or greater.

number

0

No

Usage Notes

  • If event properties are needed in result rows, ask for properties explicitly so the LLM can enable includeProperties.

  • Event search pagination supports 1 to 100 items per page.

  • Descending sorting uses a - prefix, for example -createdTimestamp.

  • Event identifiers use the format timestamp/customerID/eventID.

Tool: generateArgusEventStatisticsQuery#

Purpose

Generate an Argus event statistics query from event-statistics intent. The result is Event V2 statistics JSON that can be used to calculate counts, grouped buckets, and time-based timeline metrics.

Arguments

Field

Description

Type

Default

Required

request

Event statistics definition the LLM builds from the request.

object

None

Yes

request Fields#

Field

Description

Type

Default

Required

filter

Filters that select which events are included before statistics are calculated.

object

Default event filter with created-time range from startOfDay to now

No

statistics

Statistics outputs to calculate. Must include groupBy, timeRangeMetrics, or both.

object

Empty object

Yes

request.filter Fields#

These filters use the same shape as event search filters, except there is no pagination, sorting, or includeProperties option.

Field

Description

Type

Default

Required

associateCaseID

Include events associated with any of these case IDs. 0 means events with no associated case.

array<number>

None

No

attack

Attack-related criteria.

array<object>

None

No

customer

Include events for any customer ID or short name.

array<string>

None

No

domainName

Include events with any of these domain names.

array<string>

None

No

endpoint

Endpoint-related criteria.

array<object>

None

No

severity

Include event severities. Allowed values: low, medium, high, critical.

array<string>

None

No

eventIdentifier

Include specific event identifiers.

array<string>

None

No

type

Include event types. Allowed values: aggregated, raw.

array<string>

None

No

timeFilter

Time range selecting the event population for statistics.

object

{ "timeField": ["created"], "startTime": "startOfDay", "endTime": "now", "timeMatchStrategy": "any" }

No

includeEventFlag

Event flags that events must contain. The LLM can look up allowed values.

array<string>

None

No

excludeEventFlag

Event flags that events must not contain. The LLM can look up allowed values.

array<string>

None

No

property

Event property criteria.

array<object>

None

No

request.statistics Fields#

Field

Description

Type

Default

Required

groupBy

Fields by which to group statistics. Order controls the aggregation hierarchy.

array<object>

None

Required if timeRangeMetrics is omitted

timeRangeMetrics

Time-based timeline metrics to calculate over the filtered events.

array<object>

None

Required if groupBy is omitted

At least one of groupBy or timeRangeMetrics should be present for a meaningful statistics request.

request.statistics.groupBy[] Fields#

Field

Description

Type

Default

Required

field

Event field to group by. Allowed values: signature, attackCategory, alarm, location, severity, sourceIP, destinationIP, protocol, customer, sourceCountry, destinationCountry, associatedCase.

string

None

Yes

limit

Maximum number of distinct buckets for this group field.

number

25

No

request.statistics.timeRangeMetrics[] Fields#

Field

Description

Type

Default

Required

name

Unique metric name for the timeline metric. If omitted, the generated query may create a name.

string

Generated when omitted

No

timestampField

Event timestamp field to bucket. Allowed values: created, lastUpdated, firstAssessment, enginePersisted, firstEvent, lastEvent.

string

None

Yes

resolution

Timeline bucket size. Allowed values: minutes, hours, days, weeks, months, years.

string

None

No

includeEmptyBuckets

Whether empty time buckets should be included.

boolean

None

No

Usage Notes

  • The statistics filter time range selects the events included in the calculation.

  • Timeline metric start and end timestamps follow the filter time range.

  • Grouping order matters. For example, grouping by customer then severity creates customer buckets with severity buckets inside each customer.

  • Event statistics do not support numeric summary metrics; use groupBy and timeRangeMetrics.

  • Event statistics timeline fields are narrower than search time fields. For example, published can be used in search time filters but is not a valid timeline metric timestamp field.

Tool: listArgusEventFlags#

Purpose

Return allowed event flag values for event search and event statistics filtering.

Arguments

This tool takes no arguments.

Current Returned Values

established, blocked, partiallyBlocked, snapshot, finalized, falsePositive, notAThreat, tuningCandidate, notified, notifiedUnpublished, notifiedDeleted, followup, partiallyNotified, identifiedThreat, threatCandidate, acknowledged, partiallyAcknowledged, severityAdjusted, commented, filtered, checked, incompleteDetails, aggregatedBaseEvent, remoteStorage, hasDetails, hasPayload, hasPcap, associatedToCaseByFilter, severityIncreasedByFilter, severityReducedByFilter, createdByAnalysisFilter, extendEventTtl, initialTuning, postAnalysis, partialSslTerminated, sslTerminated, autoReport, missingTimestamp, clockOutOfSync, dropAnalysis, escalatedByReputation, hasSample, storeEvent, storeAggregated, handledByAnalyst, slaViolation, payloadTruncated, hasStringPayload, reassessed, eventFromOtEnvironment, eventFromRestrictedItEnvironment, failure

Tool: listArgusEndpointFlags#

Purpose

Return allowed endpoint flag values for endpoint filtering in event search and event statistics.

Arguments

This tool takes no arguments.

Current Returned Values

isCustomerNet, isPartialCustomerNet, customAggregation, isManagedBySoc

Tool: listArgusEventSearchSortBy#

Purpose

Return allowed sortBy values for event search.

Arguments

This tool takes no arguments.

Current Returned Values

customerID, eventID, createdTimestamp, lastUpdatedTimestamp, firstEventTimestamp, lastEventTimestamp