Argus Data Store MCP Tools#

These tools let the LLM retrieve Argus datastore metadata and centrally managed datastore entries used by detection rules.

They support two common tasks:

General Notes#

Use these tools when you want the LLM to inspect an Argus datastore descriptor or look up a specific datastore entry value.
Datastores are used by detection rules and may be structured as either maps or lists.
The descriptor controls whether entry lookup is valid and which customer value must be used.
The LLM should fetch the datastore descriptor before trying to fetch entries if the descriptor has not already been checked.
Only datastores with behaviourType = CENTRAL can have entries fetched through these MCP tools.
If behaviourType = LOCAL, the datastore descriptor exists, but entries are managed inside distributed detection pipeline environments and are not accessible through MCP tools.
If globalData = true, entry lookup must use customerID = 0 because the datastore is global.
If globalData = false, entry lookup must use a valid Argus customer ID because the datastore is customer-scoped.
Tool results are live Argus API results. The LLM should treat them as the source of truth and not infer missing datastore values.

Detection rules can refer to datastores in patterns such as:

The MCP tools expose descriptor lookup and individual entry lookup. They do not expose full datastore enumeration in this tool surface.

Descriptor field	Allowed values	How it affects later lookup
`behaviourType`	`CENTRAL`, `LOCAL`	`CENTRAL` allows entry lookup through MCP when permissions allow it. `LOCAL` means entry values cannot be fetched through MCP.
`dataType`	`MAP`, `LIST`	Describes whether the datastore stores key-value data or a collection of values. Entry lookup still uses an entry key.
`globalData`	`true`, `false`	`true` means the entry lookup should use `customerID = 0`. `false` means the entry lookup should use a real Argus customer ID.

Purpose

Fetch the Argus datastore descriptor for a datastore name. The descriptor explains the datastore’s structure, scope, and management model.

Arguments

Field	Description	Type	Default	Required
`dataStoreName`	Name of the datastore descriptor to fetch.	`string`	None	Yes

Usage Notes

Blank or missing datastore names fail validation.
The descriptor should be checked before entry lookup so the LLM does not assign the wrong customer scope or try to fetch a LOCAL datastore entry.
For LOCAL datastores, the LLM should explain that the descriptor exists but entries cannot be fetched through MCP.
For CENTRAL datastores, the LLM can continue to entry lookup when it also has the entry key and the correct customer scope.

Purpose

Fetch one Argus datastore entry by datastore name, entry key, and customer scope. If the entry is not found, the returned data may be null.

Arguments

Field	Description	Type	Default	Required
`dataStoreName`	Name of the datastore. Must match the descriptor name.	`string`	None	Yes
`entryKey`	Key of the datastore entry to fetch.	`string`	None	Yes
`customerID`	Customer scope for the entry lookup. Use `0` only when the descriptor has `globalData = true`. Use a valid Argus customer ID when the descriptor has `globalData = false`.	`number`	None	Yes

Usage Notes

Blank or missing datastore names fail validation.
Blank or missing entry keys fail validation.
The LLM should verify the datastore descriptor first if it has not already done so.
Entry lookup is only appropriate for CENTRAL datastores.
Do not use customerID = 0 for customer-scoped datastores where globalData = false.
Do not use a real customer ID for global datastores where globalData = true; use 0 instead.
If the entry is not found, the tool can return a response where the entry data is null; this should be reported plainly instead of guessing a value.