Argus Alarm MCP Tools#

These MCP tools let you retrieve Argus alarms and attack categories from the alarm API.

They support two common tasks:

search alarms using a structured request
search attack categories using a structured request

General Notes#

Use these tools when you want the LLM to retrieve alarm or attack-category data from Argus APIs.
If you ask the LLM to search alarms or attack categories, it may first use the alarm search translator tools to construct the search request and then use the search tool to fetch results.
Each search tool call returns only one page of results. It does not automatically fetch additional pages.
When more results may exist, the response includes pagination metadata under page, such as nextOffset, stop, and reason, which the LLM can use if you ask it to continue.
Search pagination supports 1 to 100 items per page.
If sorting is involved, the LLM can use the alarm search translator tools to look up valid sort values before retrieving results.

Tool: `executeSearchArgusAlarm`#

Purpose

Retrieve Argus alarm search results for the search criteria the LLM has prepared.

Arguments

Field	Description	Type	Default	Required
`request`	The full alarm search definition the LLM builds from your request.	`object`	None	Yes
`includeMappings`	Whether alarm security signature mapping details should be included in the returned results.	`boolean`	`false`	Yes

`request` fields#

Field	Description	Type	Default	Required
`idOrShortName`	Match alarms by any of the specified alarm IDs or short names.	`array<string>`	None	No
`attackCategoryID`	Match alarms belonging to any of the specified attack category IDs.	`array<number>`	None	No
`signature`	Match alarms with any of the specified security signatures. This is exact matching; use `keywordFilter` for case-insensitive text matching.	`array<string>`	None	No
`reference`	Match alarms with any of the specified references. This is exact matching; use `keywordFilter` for case-insensitive text matching.	`array<string>`	None	No
`label`	Match alarms with any of the specified labels. This is exact matching; use `keywordFilter` for case-insensitive text matching.	`array<string>`	None	No
`keywordFilter`	Keyword-based matching across alarm text fields.	`object`	None	No
`timeFilter`	Time-based narrowing for alarm search.	`object`	None	No
`page`	Pagination settings.	`object`	`{ "limit": 25, "offset": 0 }`	No
`sortBy`	Sort order list. Use list order as priority. Prefix with `-` for descending.	`array<string>`	None	No

`request.keywordFilter` fields#

Field	Description	Type	Default	Required
`keywords`	Search terms to match.	`array<string>`	None	No
`keywordField`	Which alarm keyword fields to search. Allowed values: `id`, `shortName`, `signature`, `description`, `reference`, `label`, `all`.	`array<string>`	`["all"]`	No
`keywordMatch`	How to evaluate multiple keywords. Allowed values: `any`, `all`.	`string`	`all`	No

`request.timeFilter` fields#

Field	Description	Type	Default	Required
`timeField`	Which alarm time field(s) the range applies to. Allowed values: `createdTimestamp`, `lastUpdatedTimestamp`, `lastCheckTimestamp`, `nextCheckTimestamp`, `all`.	`array<string>`	`["lastUpdatedTimestamp"]`	No
`startTime`	Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as `startOfDay - 1 day`.	`string`	None	No
`endTime`	End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as `now`.	`string`	None	No
`timeMatchStrategy`	How to evaluate multiple `timeField` values. Allowed values: `any`, `all`. Mainly relevant when more than one time field is provided.	`string`	`any`	No

`request.page` fields#

Field	Description	Type	Default	Required
`limit`	Maximum number of items per page. Accepted range: `1` to `100`.	`number`	`25`	No
`offset`	Number of items to skip before returning results. Must be `0` or greater.	`number`	`0`	No

Usage notes

If your request is a search, the LLM may first use generateArgusAlarmSearchQuery to shape and validate the query.
If you want alarm security signature mapping details included in the results, ask for that explicitly so the LLM can enable includeMappings.
If you want more than one page of results, ask the LLM to continue fetching more pages. The tool itself returns one page at a time.
For descending sorting, the LLM can use a - prefix such as -lastUpdatedTimestamp.
Exact fields such as signature, reference, and label keep the requested text literally. For looser text matching, ask for keyword matching instead.

Tool: `executeSearchArgusAttackCategory`#

Purpose

Retrieve Argus attack-category search results for the search criteria the LLM has prepared.

Arguments

Field	Description	Type	Default	Required
`request`	The full attack-category search definition the LLM builds from your request.	`object`	None	Yes

`request` fields#

Field	Description	Type	Default	Required
`idOrShortName`	Match attack categories by any of the specified IDs or short names.	`array<string>`	None	No
`keywordFilter`	Keyword-based matching across attack-category text fields.	`object`	None	No
`timeFilter`	Time-based narrowing for attack-category search.	`object`	None	No
`page`	Pagination settings.	`object`	`{ "limit": 25, "offset": 0 }`	No
`sortBy`	Sort order list. Use list order as priority. Prefix with `-` for descending.	`array<string>`	None	No

`request.keywordFilter` fields#

Field	Description	Type	Default	Required
`keywords`	Search terms to match.	`array<string>`	None	No
`keywordField`	Which attack-category keyword fields to search. Allowed values: `id`, `shortName`, `name`, `info`, `all`.	`array<string>`	`["all"]`	No
`keywordMatch`	How to evaluate multiple keywords. Allowed values: `any`, `all`.	`string`	`all`	No

`request.timeFilter` fields#

Field	Description	Type	Default	Required
`timeField`	Which attack-category time field(s) the range applies to. Allowed values: `createdTimestamp`, `lastUpdatedTimestamp`, `all`.	`array<string>`	`["lastUpdatedTimestamp"]`	No
`startTime`	Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as `startOfDay - 1 day`.	`string`	None	No
`endTime`	End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as `now`.	`string`	None	No
`timeMatchStrategy`	How to evaluate multiple `timeField` values. Allowed values: `any`, `all`. Mainly relevant when more than one time field is provided.	`string`	`any`	No

`request.page` fields#

Field	Description	Type	Default	Required
`limit`	Maximum number of items per page. Accepted range: `1` to `100`.	`number`	`25`	No
`offset`	Number of items to skip before returning results. Must be `0` or greater.	`number`	`0`	No

Usage notes

If your request is a search, the LLM may first use generateArgusAttackCategorySearchQuery to shape and validate the query.
If you want more than one page of results, ask the LLM to continue fetching more pages. The tool itself returns one page at a time.
For descending sorting, the LLM can use a - prefix such as -info.
idOrShortName is the direct ID or short-name filter. Use keywordFilter when the request asks for text matching in names or information fields.

Argus Alarm MCP Tools#

General Notes#

Tool: executeSearchArgusAlarm#

request fields#

request.keywordFilter fields#

request.timeFilter fields#

request.page fields#

Tool: executeSearchArgusAttackCategory#

request fields#

request.keywordFilter fields#

request.timeFilter fields#

request.page fields#

Tool: `executeSearchArgusAlarm`#

`request` fields#

`request.keywordFilter` fields#

`request.timeFilter` fields#

`request.page` fields#

Tool: `executeSearchArgusAttackCategory`#

`request` fields#

`request.keywordFilter` fields#

`request.timeFilter` fields#

`request.page` fields#