Argus Annotation Filter Search Translator MCP Tools#
This document describes the MCP tools available for Argus annotation filter search translation.
These tools help users:
build an Argus annotation filter search query payload
discover valid values for annotation filter sorting
validate search pagination and sort fields before retrieving results
General Notes#
Use these tools when you want the LLM to turn your annotation-filter search intent into a valid search query.
Argus annotation filters define detection rules that identify relevant events from the real-time security event stream and can transform matching events.
Describe what you want to find in plain language, and the LLM can use the request fields in this document to build the search.
If sorting is involved, the LLM can look up the allowed
sortByvalues before building the query.Returned allowed values are case-sensitive, so the LLM should keep them exactly as returned.
If you want actual search results after building the query, the LLM can then use the annotation filter search execution tool with the same search intent.
Tool: generateArgusAnnotationFilterSearchQuery#
Purpose
Generate an Argus annotation filter search query from your search intent. The result is the generated annotation filter search JSON.
Arguments
Argument: request#
High-level purpose: the full annotation filter search definition the LLM builds from your request.
Type:
objectRequired: Yes
Default: None
request fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Match annotation filters by any of these filter IDs. |
|
None |
No |
|
Match annotation filters belonging to any of the specified customers, using customer ID or short name. |
|
None |
No |
|
When customer filtering is used, also include parent customers. |
|
|
No |
|
When customer filtering is used, also include child customers. |
|
|
No |
|
Annotation filter flags that must all be present. Allowed values: |
|
None |
No |
|
Annotation filter flags that must not be present. Exclusion still applies even if included flags match. Allowed values: |
|
None |
No |
|
Keyword-based matching across annotation filter fields. |
|
None |
No |
|
Time-based narrowing for annotation filter search. |
|
None |
No |
|
Whether statement and trigger code should be included in the result objects. |
|
|
No |
|
Pagination settings. |
|
|
No |
|
Sort order list. Use list order as priority. Prefix with |
|
None |
No |
request.keywordFilter fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Search terms to match. |
|
None |
No |
|
Which annotation filter keyword fields to search. Allowed values: |
|
|
No |
|
How to evaluate multiple keywords. Allowed values: |
|
|
No |
request.timeFilter fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Which annotation filter time field(s) the range applies to. Allowed values: |
|
|
No |
|
Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
None |
No |
|
End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
|
No |
|
How to evaluate multiple |
|
|
No |
request.page fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Maximum number of items per page. Accepted range: |
|
|
No |
|
Number of items to skip before returning results. Must be |
|
|
No |
Usage notes
Annotation filter search pagination supports
1to100items per page. Values outside that range will fail.For descending sorting, the LLM can use a
-prefix such as-lastUpdated.To search statement text, the LLM can use
preStatement1,preStatement2, andstatementCode.Ask explicitly if you want annotation filter statement and trigger code included in search results, so the LLM can enable
includeCode.
Tool: listArgusAnnotationFilterSearchSortBy#
Purpose
Return the allowed sortBy values for Argus annotation filter search.
Arguments
This tool takes no arguments.
Current returned values
id, name, created, lastUpdated