Argus Event MCP Tools#

These MCP tools let you retrieve Argus events from the event API.

They support three common tasks:

list events associated with a case
search events using a structured request
fetch one event by its event identifier

General Notes#

Use these tools when you want the LLM to retrieve event data from Argus APIs.
If you ask the LLM to search for events, it may first use the event search translator tools to construct the search request and then use the search tool to fetch results.
Search results are paginated. limit controls how many results to return, and offset controls where the page starts.
Keep the page size between 1 and 100.
Each search tool call returns only one page of results. It does not automatically fetch additional pages.
When more results may exist, the response includes pagination metadata under page, such as nextOffset, stop, and reason, which the LLM can use if you ask it to continue.

Tool: `getEventsAssociatedWithCase`#

Purpose

List Argus events associated with a specific case.

Arguments

Field	Description	Type	Default	Required
`caseID`	The case ID whose associated events should be returned.	`number`	None	Yes
`limit`	Maximum number of events to return in this call. Use `1` to `100`.	`number`	`25`	Yes
`offset`	Number of matching events to skip before returning results. Use this for pagination.	`number`	`0`	Yes

Usage notes

For more than 100 results, make repeated calls with increasing offset.
A common paging pattern is: next offset = previous offset + limit.

Tool: `executeSearchArgusEvent`#

Purpose

Retrieve Argus event search results for the search criteria the LLM has prepared.

Arguments

Field	Description	Type	Default	Required
`request`	The full event search definition the LLM builds from your request.	`object`	None	Yes
`includeProperties`	Whether event properties should be included in the returned results.	`boolean`	`false`	Yes

`request` fields#

Field	Description	Type	Default	Required
`associateCaseID`	Return events associated with any of these case IDs. `0` means events with no associated case.	`array<number>`	None	No
`attack`	Attack-related filter criteria. Each item is one criterion.	`array<object>`	None	No
`customer`	Match events belonging to any of the specified customers, using customer ID or short name.	`array<string>`	None	No
`domainName`	Match events with any of the specified domain names.	`array<string>`	None	No
`endpoint`	Endpoint-related filter criteria for source or destination endpoints.	`array<object>`	None	No
`severity`	Match event severity values. Allowed values: `low`, `medium`, `high`, `critical`.	`array<string>`	None	No
`eventIdentifier`	Match specific event identifiers.	`array<string>`	None	No
`type`	Match event types. Allowed values: `aggregated`, `raw`.	`array<string>`	None	No
`timeFilter`	Time-based narrowing for the event search.	`object`	`{ "timeField": ["created"], "startTime": "startOfDay", "endTime": "now", "timeMatchStrategy": "any" }`	No
`includeEventFlag`	Event flags that must all be present on a matching event.	`array<string>`	None	No
`excludeEventFlag`	Event flags that must not be present on a matching event.	`array<string>`	None	No
`property`	Event property filter criteria.	`array<object>`	None	No
`page`	Pagination settings for the event search.	`object`	`{ "limit": 25, "offset": 0 }`	No
`sortBy`	Sort order list. Use list order as priority. Prefix with `-` for descending.	`array<string>`	None	No

`request.attack[]` fields#

Field	Description	Type	Default	Required
`alarm`	Match events triggered by any of these alarms, using alarm ID or short name.	`array<string>`	None	No
`attackCategory`	Match events triggered by any of these attack categories, using ID or short name.	`array<string>`	None	No
`signature`	Match events triggered by any of these security signatures.	`array<string>`	None	No
`exclude`	Negate this criterion.	`boolean`	`false`	No
`required`	Whether this criterion must be combined with other criteria using AND instead of OR.	`boolean`	`true`	No

`request.endpoint[]` fields#

Field	Description	Type	Default	Required
`countryCode`	Match endpoint country codes.	`array<string>`	None	No
`endpointFieldStrategy`	Which endpoint side to search. Allowed values: `source`, `destination`, `all`.	`string`	`all`	No
`ip`	Match endpoint IPs or CIDR networks. Supports IPv4, IPv6, and CIDR notation.	`array<string>`	None	No
`minMaskBits`	Minimum CIDR prefix length to match. Useful to exclude broad subnets.	`number`	None	No
`port`	Match endpoint ports.	`array<number>`	None	No
`includeEndpointFlag`	Endpoint flags that must all be present.	`array<string>`	None	No
`excludeEndpointFlag`	Endpoint flags that must not be present.	`array<string>`	None	No
`exclude`	Negate this criterion.	`boolean`	`false`	No
`required`	Whether this criterion must be combined with other criteria using AND instead of OR.	`boolean`	`false`	No

`request.timeFilter` fields#

Field	Description	Type	Default	Required
`timeField`	Which event time field(s) the range applies to. Allowed values: `created`, `lastUpdated`, `firstAssessment`, `enginePersisted`, `firstEvent`, `lastEvent`, `published`, `all`.	`array<string>`	`["created"]`	No
`startTime`	Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as `startOfDay - 1 day`.	`string`	`startOfDay`	No
`endTime`	End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as `now`.	`string`	`now`	No
`timeMatchStrategy`	How to evaluate multiple `timeField` values. Allowed values: `any`, `all`.	`string`	`any`	No

`request.property[]` fields#

Field	Description	Type	Default	Required
`key`	Property key to match.	`string`	None	Yes
`value`	Property values to match against the key.	`array<string>`	None	Yes
`valueMatchStrategy`	How to combine multiple values. Allowed values: `any`, `all`.	`string`	`any`	No
`valueSearchStrategy`	How to compare each value. Allowed values: `tokenized`, `exact`.	`string`	`exact`	No
`exclude`	Negate this criterion.	`boolean`	`false`	No
`required`	Whether this criterion must be combined with other criteria using AND instead of OR.	`boolean`	`false`	No

`request.page` fields#

Field	Description	Type	Default	Required
`limit`	Maximum number of items per page. Accepted range: `1` to `100`.	`number`	`25`	No
`offset`	Number of items to skip before returning results. Must be `0` or greater.	`number`	`0`	No

Usage notes

If your request is a search rather than a direct event lookup, the LLM may first use the event search translator tools to shape the query.
Event search pagination supports 1 to 100 items per page.
If you want more than one page of results, ask the LLM to continue fetching more pages. The tool itself returns one page at a time.
For descending sorting, the LLM can use a - prefix such as -createdTimestamp.
Event identifiers follow the format timestamp/customerID/eventID.
If you want event properties included in the results, ask for that explicitly.

Tool: `getArgusEventByIdentifier`#

Purpose

Fetch full event details for one specific event identifier.

Arguments

Field	Description	Type	Default	Required
`eventIdentifierString`	The event identifier to look up. Use the format `timestamp/customerID/eventID`.	`string`	None	Yes

Usage notes

Example values:
1762428410440/1/b18fb75e-0587-4570-a467-092a503f9294
1762428470222/99/e8e20057-5c0a-4623-8593-3ccf860b9a59

Argus Event MCP Tools#

General Notes#

Tool: getEventsAssociatedWithCase#

Tool: executeSearchArgusEvent#

request fields#

request.attack[] fields#

request.endpoint[] fields#

request.timeFilter fields#

request.property[] fields#

request.page fields#

Tool: getArgusEventByIdentifier#

Tool: `getEventsAssociatedWithCase`#

Tool: `executeSearchArgusEvent`#

`request` fields#

`request.attack[]` fields#

`request.endpoint[]` fields#

`request.timeFilter` fields#

`request.property[]` fields#

`request.page` fields#

Tool: `getArgusEventByIdentifier`#