Argus Alarm Search Translator MCP Tools#
These MCP tools help you build and validate Argus alarm and attack-category search queries.
They support two main needs:
generate a structured alarm or attack-category search query
discover valid sorting fields before building the query
General Notes#
Use these tools when you want the LLM to turn your alarm-search or attack-category-search intent into a valid search query.
Describe what you want to find in plain language, and the LLM can use the request fields in this document to build the search.
If your request involves sorting, the LLM can look up the allowed values before building the query.
This applies to
sortByfor both alarm and attack-category searches.The returned sort values are case-sensitive, so the LLM should keep them exactly as returned.
If you want actual search results after building the query, the LLM can then use the alarm search execution tool with the same search intent.
Tool: generateArgusAlarmSearchQuery#
Purpose
Generate an Argus alarm search query from your search intent.
Arguments
Argument: request#
High-level purpose: the full alarm search definition the LLM builds from your request.
Type:
objectRequired: Yes
Default: None
Argument: includeMappings#
High-level purpose: tells the LLM whether alarm security signature mapping details should be included when it prepares the search and later fetches results.
Type:
booleanRequired: Yes
Default:
false
request fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Match alarms by any of the specified alarm IDs or short names. |
|
None |
No |
|
Match alarms belonging to any of the specified attack category IDs. |
|
None |
No |
|
Match alarms with any of the specified security signatures. This is exact matching; use |
|
None |
No |
|
Match alarms with any of the specified references. This is exact matching; use |
|
None |
No |
|
Match alarms with any of the specified labels. This is exact matching; use |
|
None |
No |
|
Keyword-based matching across alarm text fields. |
|
None |
No |
|
Time-based narrowing for alarm search. |
|
None |
No |
|
Pagination settings. |
|
|
No |
|
Sort order list. Use list order as priority. Prefix with |
|
None |
No |
request.keywordFilter fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Search terms to match. |
|
None |
No |
|
Which alarm keyword fields to search. Allowed values: |
|
|
No |
|
How to evaluate multiple keywords. Allowed values: |
|
|
No |
request.timeFilter fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Which alarm time field(s) the range applies to. Allowed values: |
|
|
No |
|
Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
None |
No |
|
End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
None |
No |
|
How to evaluate multiple |
|
|
No |
request.page fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Maximum number of items per page. Accepted range: |
|
|
No |
|
Number of items to skip before returning results. Must be |
|
|
No |
Usage notes
If you want alarm security signature mapping details included in the results, ask for that explicitly so the LLM can enable
includeMappings.Alarm search pagination supports
1to100items per page. Values outside that range will fail.For descending sorting, the LLM can use a
-prefix such as-lastUpdatedTimestamp.Exact fields such as
signature,reference, andlabelkeep the requested text literally. For looser text matching, ask for keyword matching instead.
Tool: listArgusAlarmSearchSortBy#
Purpose
Return the allowed sortBy values for Argus alarm search.
Arguments
This tool takes no arguments.
Current returned values
id, lastUpdatedTimestamp, description, attackCategory
Tool: generateArgusAttackCategorySearchQuery#
Purpose
Generate an Argus attack-category search query from your search intent.
Arguments
Argument: request#
High-level purpose: the full attack-category search definition the LLM builds from your request.
Type:
objectRequired: Yes
Default: None
request fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Match attack categories by any of the specified IDs or short names. |
|
None |
No |
|
Keyword-based matching across attack-category text fields. |
|
None |
No |
|
Time-based narrowing for attack-category search. |
|
None |
No |
|
Pagination settings. |
|
|
No |
|
Sort order list. Use list order as priority. Prefix with |
|
None |
No |
request.keywordFilter fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Search terms to match. |
|
None |
No |
|
Which attack-category keyword fields to search. Allowed values: |
|
|
No |
|
How to evaluate multiple keywords. Allowed values: |
|
|
No |
request.timeFilter fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Which attack-category time field(s) the range applies to. Allowed values: |
|
|
No |
|
Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
None |
No |
|
End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
None |
No |
|
How to evaluate multiple |
|
|
No |
request.page fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Maximum number of items per page. Accepted range: |
|
|
No |
|
Number of items to skip before returning results. Must be |
|
|
No |
Usage notes
Attack-category search pagination supports
1to100items per page. Values outside that range will fail.For descending sorting, the LLM can use a
-prefix such as-info.idOrShortNameis the direct ID or short-name filter. UsekeywordFilterwhen the request asks for text matching in names or information fields.
Tool: listArgusAttackCategorySearchSortBy#
Purpose
Return the allowed sortBy values for Argus attack-category search.
Arguments
This tool takes no arguments.
Current returned values
id, shortName, name, info