Argus Case Search Translator MCP Tools#

These MCP tools help you build and validate Argus case search queries.

They support two main needs:

  • generate a structured case search query

  • discover valid values for flags, workflows, and sorting fields before building the query

General Notes#

  • Use this tool when you want the LLM to turn your case-search intent into a valid search query.

  • Describe what you want to find in plain language, and the LLM can use the request fields in this document to build the search.

  • If your request involves case flags, service flags, workflows, or sorting, the LLM can look up the allowed values before building the query.

  • This applies to includeCaseFlag, excludeCaseFlag, serviceFilter.includeCaseServiceFlag, serviceFilter.excludeCaseServiceFlag, sortBy, and workflow[].flow.

  • The returned values are case-sensitive, so the LLM should keep them exactly as returned.

  • If you want actual search results after building the query, the LLM can then use the case search execution tool with the same search intent.

Tool: generateArgusCaseSearchQuery#

Purpose

Generate an Argus case search query from your search intent.

Arguments

Argument: request#

High-level purpose: the full case search definition the LLM builds from your request.

  • Type: object

  • Required: Yes

  • Default: None

request fields#

Field

Description

Type

Default

Required

asset

Match cases associated with any of the specified assets, using asset ID or short name.

array<string>

None

No

customer

Match cases belonging to any of the specified customers, using customer ID or short name.

array<string>

None

No

caseID

Match specific case IDs.

array<number>

None

No

type

Match case types. Allowed values: securityIncident, operationalIncident, information, change.

array<string>

None

No

serviceFilter

Match case service criteria.

object

None

No

category

Match case categories, using category ID or short name.

array<string>

None

No

currentPriority

Match current priority values. Allowed values: low, medium, high, critical.

array<string>

None

No

initialPriority

Match initial priority values. Allowed values: low, medium, high, critical.

array<string>

None

No

currentStatus

Match current case status values.

array<string>

None

No

initialStatus

Match initial case status values.

array<string>

None

No

timeFilter

Time-based narrowing for case search.

object

{ "timeField": ["all"], "startTime": "startOfDay", "endTime": "now", "timeMatchStrategy": "any" }

No

tag

Tag-based case filter criteria.

array<object>

None

No

workflow

Workflow-based case filter criteria.

array<object>

None

No

caseField

Case field metadata filter criteria.

array<object>

None

No

keywordFilter

Keyword-based search across case text fields.

object

None

No

userFilter

User or user-group based case filtering.

object

None

No

userAssigned

Filter specifically on whether a user is assigned.

boolean

None

No

techAssigned

Filter specifically on whether technical personnel is assigned.

boolean

None

No

caseAccessMode

Match case access modes. Allowed values: roleBased, readRestricted, writeRestricted, explicit.

array<string>

None

No

caseExplicitAccessFilter

Match explicit-access grant criteria. When multiple criteria are provided, all must match.

array<object>

None

No

includeCaseFlag

Case flags that must all be present. When this filter is involved, the LLM can look up the allowed flag values behind the scenes.

array<string>

None

No

excludeCaseFlag

Case flags that must not be present. When this filter is involved, the LLM can look up the allowed flag values behind the scenes.

array<string>

None

No

page

Pagination settings.

object

{ "limit": 25, "offset": 0 }

No

sortBy

Sort order list. Use list order as priority. Prefix with - for descending. When sorting is involved, the LLM can look up the allowed sort values behind the scenes.

array<string>

None

No

request.serviceFilter fields#

Field

Description

Type

Default

Required

caseService

Match cases with any of these case service IDs or short names.

array<string>

None

No

includeCaseServiceFlag

Service flags that must all be present. When this filter is involved, the LLM can look up the allowed flag values behind the scenes.

array<string>

None

No

excludeCaseServiceFlag

Service flags that must not be present. When this filter is involved, the LLM can look up the allowed flag values behind the scenes.

array<string>

None

No

request.timeFilter fields#

Field

Description

Type

Default

Required

timeField

Which case time field(s) the range applies to. Allowed values: createdTimestamp, lastUpdatedTimestamp, closedTimestamp, publishedTimestamp, customerDueTimestamp, techDueTimestamp, all.

array<string>

["all"]

No

startTime

Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as startOfDay - 1 day.

string

startOfDay

No

endTime

End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as now.

string

now

No

timeMatchStrategy

How to evaluate multiple timeField values. Allowed values: any, all.

string

any

No

request.tag[] fields#

Field

Description

Type

Default

Required

tagKey

The exact tag key or name to search for.

string

None

Yes

value

Tag values to match. Optional when checking only whether the tag exists.

array<string>

None

No

searchCondition

How to apply this tag criterion. Allowed values: MATCH, NEGATE, EXCLUDE_TAG.

string

None

Yes

request.workflow[] fields#

Field

Description

Type

Default

Required

flow

Workflow token to match. When this filter is involved, the LLM can look up the allowed workflow values behind the scenes.

string

None

Yes

acknowledgeStatus

Workflow acknowledgement filter. Allowed values: acknowledged, unacknowledged, all.

string

all

No

exclude

Negate this criterion.

boolean

false

No

request.caseField[] fields#

Field

Description

Type

Default

Required

fieldName

The exact case field name to search for.

string

None

Yes

value

Field values to match. Optional when checking only whether the field exists.

array<string>

None

No

searchCondition

How to apply this field criterion. Allowed values: MATCH, NEGATE, EXCLUDE_FIELD.

string

None

Yes

request.keywordFilter fields#

Field

Description

Type

Default

Required

keywords

Search terms to match.

array<string>

None

No

keywordField

Which case text fields to search. Allowed values: subject, description, comments, customerReference, id, all.

array<string>

None

No

keywordMatch

How to evaluate multiple keywords. Allowed values: any, all.

string

None

No

request.userFilter fields#

Field

Description

Type

Default

Required

user

User IDs, user names, or user-group names to match.

array<string>

None

No

userField

Which user-related case fields to search. Allowed values: reporter, assignedUser, assignedTech, createdByUser, lastUpdatedByUser, closedByUser, publishedByUser, commentedByUser, watchedByUser, all.

array<string>

["all"]

No

request.caseExplicitAccessFilter[] fields#

Field

Description

Type

Default

Required

startTime

Match cases with explicit access granted after this time. Uses the same time formats as other time filters.

string

None

No

endTime

Match cases with explicit access granted before this time. Uses the same time formats as other time filters.

string

None

No

accessLevel

Match explicit access levels. Allowed values: read, write, owner.

array<string>

None

No

user

User IDs, user names, or user-group names whose explicit access grants should match.

array<string>

None

No

includeAncestor

Whether to include the specified users and their ancestors when matching access grants.

boolean

false

No

request.page fields#

Field

Description

Type

Default

Required

limit

Maximum number of items per page. Accepted range: 1 to 100.

number

25

No

offset

Number of items to skip before returning results. Must be 0 or greater.

number

0

No

Usage notes

  • Case search pagination supports 1 to 100 items per page. Values outside that range will fail.

  • For descending sorting, the LLM can use a - prefix such as -createdTimestamp.

  • currentStatus and initialStatus support: pendingCustomer, pendingSoc, pendingVendor, workingSoc, workingCustomer, pendingClose, closed.

  • Tag and case-field filters support both value matching and existence checks.

Tool: listArgusCaseFlags#

Purpose

Return the allowed case flag values for case search.

Arguments

This tool takes no arguments.

Current returned values

DELETED, EXTERNAL_SYNC, HAS_ATTACHMENT, INTERNAL, MAIL_UPDATE, MERGED, NOTIFIED, PUBLISHED, SUBMITTED_BY_ANONYMOUS_USER, SUBMITTED_BY_OTHER_USER, DEFAULT_CONTACTS, DESCRIPTION_EDITED, SUBMITTED_BY_TECH, SUBJECT_EDITED, HAS_EVENTS, TEST_DATA, HAS_COMMENTS, REOPENED, CREATED_AS_PUBLISHED

Tool: listArgusCaseSearchSortBy#

Purpose

Return the allowed sortBy values for case search.

Arguments

This tool takes no arguments.

Current returned values

id, reporter, createdByUser, createdTimestamp, lastUpdatedByUser, lastUpdatedTimestamp, assignedUser, assignedTech, closedByUser, closedTimestamp, customerDueTimestamp, techDueTimestamp, publishedByUser, publishedTimestamp, customer, priority, status, type, service, category, subject

Tool: listArgusCaseServiceFlags#

Purpose

Return the allowed case service flag values for service filtering within case search.

Arguments

This tool takes no arguments.

Current returned values

DELETED, HANDLED_BY_SOC, MONITORED_BY_SOC_OUTSIDE_OFFICEHOURS, DEPRECATED, EVENT_ENABLED

Tool: listArgusCaseWorkflow#

Purpose

Return the allowed workflow values for case search.

Arguments

This tool takes no arguments.

Current returned values

validation, nocValidation, tuning, escalation, customerUpdate, escalateTI, escalateNSA, escalateLog, escalateInfra, escalateDetection, escalateOperations, escalateMSI, escalateMSIAnalyst, severityAlert, slaViolation, internalSlaViolation, delegateToSOC, escalateDEV, escalateTRS, escalateMSSAnalyst, escalateTAM, qaValidation, socAnalysis, escalateO3C