Argus Asset Search Translator MCP Tools#

This document describes the MCP tools available for Argus asset search and asset statistics translation.

These tools help users:

  • build an Argus asset search query payload

  • build an Argus asset statistics query payload

  • discover valid values for asset search sorting

  • validate pagination and sorting before retrieving results

General Notes#

  • Use these tools when you want the LLM to turn your asset search or asset statistics intent into a valid query.

  • Argus assets represent entities monitored and protected for a customer. Asset definitions describe which data components an asset type can contain.

  • Asset searches and statistics must be scoped to an asset definition. Supported values are HostAsset and QualysHostAsset; the default is HostAsset.

  • If sorting is involved, the LLM can look up the allowed sortBy values before building the search query.

  • Returned allowed values are case-sensitive, so the LLM should keep them exactly as returned.

  • If you want actual search results or calculated statistics after building a query, the LLM can then use the asset execution tools with the same search or statistics intent.

Tool: generateArgusAssetSearchQuery#

Purpose

Generate an Argus asset search query from your search intent. The result is the generated asset search JSON.

Arguments

Field

Description

Type

Default

Required

request

The full asset search definition the LLM builds from your request.

object

None

Yes

assetDefinition

Asset definition to search. Allowed values: HostAsset, QualysHostAsset.

string

HostAsset

Yes

request fields#

Field

Description

Type

Default

Required

customer

Match assets belonging to any of the specified customers, using customer ID or short name.

array<string>

None

No

idOrShortName

Match assets by any of the specified asset IDs or short names.

array<string>

None

No

dataSource

Match assets detected or reported by any of these data sources, using ID or short name.

array<string>

None

No

componentFilter

Component-based asset filters. Each item targets one component definition.

array<object>

None

No

vulnerabilityFilter

Vulnerability-based filters, including severity, CIA impact, CVSS, references, IDs, and resolution.

object

None

No

timeFilter

Time-based narrowing for asset search.

object

{ "timeField": ["lastUpdatedTimestamp"], "startTime": "startOfDay", "endTime": "now", "timeMatchStrategy": "any" }

No

keywordFilter

Keyword-based matching across asset and vulnerability fields.

object

None

No

userFilter

User or user-group related asset filters.

object

None

No

groupFilter

Asset group membership filters.

object

None

No

includeFlags

Asset flags that must all be present. Allowed values: hasHighVulnerability, hasCriticalVulnerability, exploitAvailable.

array<string>

None

No

excludeFlags

Asset flags that must not be present. Exclusion still applies even if included flags match. Allowed values: hasHighVulnerability, hasCriticalVulnerability, exploitAvailable.

array<string>

None

No

page

Pagination settings.

object

{ "limit": 25, "offset": 0 }

No

sortBy

Sort order list. Use list order as priority. Prefix with - for descending. When sorting is involved, the LLM can look up the allowed sort values behind the scenes.

array<string>

None

No

request.componentFilter[] fields#

Field

Description

Type

Default

Required

componentDefinition

Component definition ID or name.

string

None

No

value

Component values to match for the specified component definition. Any listed value may match.

array<string>

None

No

request.vulnerabilityFilter fields#

Field

Description

Type

Default

Required

vulnerabilityID

Vulnerability identifiers affecting the asset.

array<string>

None

No

vulnerabilityReference

Vulnerability references to match.

array<string>

None

No

vulnerabilityResolution

Vulnerability resolution states. Allowed values: unresolved, accepted, temporarilyAccepted, falsePositive, serviceNotAvailable, noLongerVulnerable.

array<string>

None

No

vulnerabilitySeverity

Overall vulnerability risk severity. Allowed values: unknown, low, medium, high, critical.

array<string>

None

No

confidentiality

CIA confidentiality impact level. Allowed values: unknown, low, medium, high, critical. Do not use this as the overall risk severity.

array<string>

None

No

availability

CIA availability impact level. Allowed values: unknown, low, medium, high, critical. Do not use this as the overall risk severity.

array<string>

None

No

integrity

CIA integrity impact level. Allowed values: unknown, low, medium, high, critical. Do not use this as the overall risk severity.

array<string>

None

No

minimumTotalCVSS

Match assets whose total vulnerability CVSS score is greater than this value.

number

None

No

maximumTotalCVSS

Match assets whose total vulnerability CVSS score is less than this value.

number

None

No

request.timeFilter fields#

Field

Description

Type

Default

Required

timeField

Which asset or vulnerability time field(s) the range applies to. Allowed values: assetAll, firstSeenTimestamp, lastSeenTimestamp, lastScanTimestamp, createdTimestamp, lastUpdatedTimestamp, deletedTimestamp, expireTimestamp, vulnerabilityAll, vulnerabilityResolutionTimestamp, vulnerabilityResolutionExpiryTimestamp, vulnerabilityFirstSeenTimestamp, vulnerabilityLastSeenTimestamp, vulnerabilityExpireTimestamp, vulnerabilityCreatedTimestamp, vulnerabilityLastUpdatedTimestamp, vulnerabilityDeletedTimestamp, exploitAvailable, all.

array<string>

["lastUpdatedTimestamp"]

No

startTime

Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as startOfDay - 1 day.

string

startOfDay

No

endTime

End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as now.

string

now

No

timeMatchStrategy

How to evaluate multiple timeField values. Allowed values: any, all. Mainly relevant when more than one time field is provided.

string

any

No

request.keywordFilter fields#

Field

Description

Type

Default

Required

keywords

Search terms to match.

array<string>

None

No

keywordField

Which asset keyword fields to search. Allowed values: assetAll, shortName, name, description, vulnerabilityDefinitionAll, references, vulnerabilityID, vulnerabilityName, all.

array<string>

["assetAll"]

No

keywordMatch

How to evaluate multiple keywords. Allowed values: any, all. Required when keywords are present.

string

all

No

request.userFilter fields#

Field

Description

Type

Default

Required

user

User or user-group IDs or names to match. Any listed value may match.

array<string>

None

No

userField

Which user fields to search. Allowed values: firstSeenByUser, lastSeenByUser, createdByUser, lastUpdatedByUser, deletedByUser, owner, all.

array<string>

["all"]

No

request.groupFilter fields#

Field

Description

Type

Default

Required

groupRelationship

Whether assets must have groups, must have no groups, or either is acceptable. Allowed values: hasGroup, withoutGroup, notMatter.

string

notMatter

No

assetGroup

Asset group IDs or short names. Any listed group may match.

array<string>

None

No

groupScope

Whether group matching is direct only or includes descendant groups. Allowed values: direct, subtree.

string

None

No

includeGroupInfo

Whether group information should be included in search results.

boolean

false

No

request.page fields#

Field

Description

Type

Default

Required

limit

Maximum number of items per page. Accepted range: 1 to 100.

number

25

No

offset

Number of items to skip before returning results. Must be 0 or greater.

number

0

No

Usage notes

  • Asset search pagination supports 1 to 100 items per page. Values outside that range will fail.

  • For descending sorting, the LLM can use a - prefix such as -lastUpdatedTimestamp.

  • Use vulnerabilitySeverity for overall risk severity. Use confidentiality, availability, or integrity only for CIA impact-specific filtering.

Tool: generateArgusAssetStatisticsQuery#

Purpose

Generate an Argus asset statistics query from your statistics intent. The result is the generated asset statistics JSON.

Arguments

Field

Description

Type

Default

Required

request

The full asset statistics definition the LLM builds from your request.

object

None

Yes

assetDefinition

Asset definition to calculate statistics for. Allowed values: HostAsset, QualysHostAsset.

string

HostAsset

Yes

request fields#

Field

Description

Type

Default

Required

filter

Filters used to choose the asset population before statistics are calculated. It supports the same filter fields as asset search, except pagination and sorting.

object

Empty filter with default time range

No

assetStatistics

Statistics and aggregations to generate over the filtered assets. At least one output instruction is needed for a meaningful statistics query.

object

Empty statistics request

Yes

request.assetStatistics fields#

Field

Description

Type

Default

Required

timeRangeMetrics

Time-based metrics over filtered assets. Use for requests such as assets created per day or last seen per week.

array<object>

None

No

numericMetrics

Numeric summary metrics over supported asset fields.

array<object>

None

No

groupBy

Fields to group statistics by. List order controls the hierarchy.

array<object>

None

No

At least one of timeRangeMetrics, numericMetrics, or groupBy should be present.

request.assetStatistics.timeRangeMetrics[] fields#

Field

Description

Type

Default

Required

name

Unique name for this metric in the statistics request. Use a short name with letters, numbers, underscore, colon, dot, or dash.

string

Generated if omitted

No

timestampField

Timestamp field used for the metric. Allowed values: created, deleted, lastSeen, lastUpdated.

string

None

Yes

resolution

Time bucket resolution. Allowed values: hour, day, week, month, year.

string

None

No

includeEmptyBuckets

Whether empty time buckets should appear in the result.

boolean

None

No

request.assetStatistics.numericMetrics[] fields#

Field

Description

Type

Default

Required

numericField

Numeric asset field to summarize. Allowed values: vulnerabilities, cvss.

string

None

Yes

request.assetStatistics.groupBy[] fields#

Field

Description

Type

Default

Required

field

Asset field to group by. Allowed values: customer, assetGroup.

string

None

Yes

limit

Maximum number of buckets for this group level.

number

25

No

Usage notes

  • Statistics results are scoped trees, not flat lists. When grouping is used, each child bucket is constrained by its parent buckets.

  • If no filter time range is requested, the LLM can omit it and let the default filter time range apply.

  • Do not use the statistics query for a plain asset list. Use asset search when the user asks to retrieve assets.

Tool: listArgusAssetSearchSortBy#

Purpose

Return the allowed sortBy values for Argus asset search.

Arguments

This tool takes no arguments.

Current returned values

id, customerID, shortName, name, ownerID, firstSeenTimestamp, lastSeenTimestamp, lastScanTimestamp, createdTimestamp, lastUpdatedTimestamp, deletedTimestamp, totalCVSS, vulnerabilitiesCount