Argus Event Search Translator MCP Tools#
This document describes the MCP tools available for Argus event search translation.
These tools help users:
build an Argus event search query payload
discover valid values for event flags
discover valid values for endpoint flags
discover valid values for event sorting
General Notes#
Use this tool when you want the LLM to turn your event-search intent into a valid search query.
Describe what you want to find in plain language, and the LLM can use the request fields in this document to build the search.
If your request involves event flags, endpoint flags, or sorting, the LLM can look up the allowed values before building the query.
This applies to
includeEventFlag,excludeEventFlag,endpoint[].includeEndpointFlag,endpoint[].excludeEndpointFlag, andsortBy.The returned values are case-sensitive, so the LLM should keep them exactly as returned.
If you want actual search results after building the query, the LLM can then use the event search execution tool with the same search intent.
Tool: generateArgusEventSearchQuery#
Purpose
Generate an Argus event search query from your search intent. The result contains:
searchCriteria: the generated event search JSONsearchLink: a shareable Argus portal link for the same search
Arguments
Argument: request#
High-level purpose: the full event search definition the LLM builds from your request.
Type:
object(ArgusEventSearchToolRequest)Required: Yes
Default: None
Argument: includeProperties#
High-level purpose: tells the LLM whether event properties should be included when it prepares the search and later fetches results.
Type:
booleanRequired: Yes
Default:
false
request fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Return events associated with any of these case IDs. |
|
None |
No |
|
Attack-related filter criteria. Each item is one criterion. By default criteria are OR-ed unless each item sets |
|
None |
No |
|
Match events belonging to any of the specified customers, using customer ID or short name. |
|
None |
No |
|
Match events with any of the specified domain names. |
|
None |
No |
|
Endpoint-related filter criteria for source or destination endpoints. |
|
None |
No |
|
Match event severity values. Allowed values: |
|
None |
No |
|
Match specific event identifiers. |
|
None |
No |
|
Match event types. Allowed values: |
|
None |
No |
|
Time-based narrowing for the event search. |
|
|
No |
|
Event flags that must all be present on a matching event. When this filter is involved, the LLM can look up the allowed flag values behind the scenes. |
|
None |
No |
|
Event flags that must not be present on a matching event. When this filter is involved, the LLM can look up the allowed flag values behind the scenes. |
|
None |
No |
|
Event property filter criteria. |
|
None |
No |
|
Pagination settings. |
|
|
No |
|
Sort order list. Use list order as priority. Prefix with |
|
None |
No |
request.attack[] fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Match events triggered by any of these alarms, using alarm ID or short name. |
|
None |
No |
|
Match events triggered by any of these attack categories, using ID or short name. |
|
None |
No |
|
Match events triggered by any of these information security signatures. |
|
None |
No |
|
Negate this criterion. |
|
|
No |
|
Whether this criterion must be combined with other criteria using AND instead of OR. |
|
|
No |
request.endpoint[] fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Match endpoint country codes. |
|
None |
No |
|
Which endpoint side to search. Allowed values: |
|
|
No |
|
Match endpoint IPs or CIDR networks. Supports IPv4, IPv6, and CIDR notation. |
|
None |
No |
|
Minimum CIDR prefix length to match. Useful to exclude broad subnets. |
|
None |
No |
|
Match endpoint ports. |
|
None |
No |
|
Endpoint flags that must all be present. When this filter is involved, the LLM can look up the allowed flag values behind the scenes. |
|
None |
No |
|
Endpoint flags that must not be present. When this filter is involved, the LLM can look up the allowed flag values behind the scenes. |
|
None |
No |
|
Negate this criterion. |
|
|
No |
|
Whether this criterion must be combined with other criteria using AND instead of OR. |
|
|
No |
request.timeFilter fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Which event time field(s) the range applies to. Allowed values: |
|
|
No |
|
Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
|
No |
|
End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as |
|
|
No |
|
How to evaluate multiple |
|
|
No |
request.property[] fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Property key to match. |
|
None |
Yes |
|
Property values to match against the key. |
|
None |
Yes |
|
How to combine multiple values. Allowed values: |
|
|
No |
|
How to compare each value. Allowed values: |
|
|
No |
|
Negate this criterion. |
|
|
No |
|
Whether this criterion must be combined with other criteria using AND instead of OR. |
|
|
No |
request.page fields#
Field |
Description |
Type |
Default |
Required |
|---|---|---|---|---|
|
Maximum number of items per page. Accepted range: |
|
|
No |
|
Number of items to skip before returning results. Must be |
|
|
No |
Usage notes
If you want event properties included in the results, ask for that explicitly so the LLM can enable
includeProperties.Event search pagination supports
1to100items per page. Values outside that range will fail.For descending sorting, the LLM can use a
-prefix such as-createdTimestamp.Event identifiers follow the format
timestamp/customerID/eventID.
Tool: listArgusEventFlags#
Purpose
Return the allowed event flag values for Argus event search.
Arguments
This tool takes no arguments.
Current returned values
established, blocked, partiallyBlocked, snapshot, finalized, falsePositive, notAThreat, tuningCandidate, notified, notifiedUnpublished, notifiedDeleted, followup, partiallyNotified, identifiedThreat, threatCandidate, acknowledged, partiallyAcknowledged, severityAdjusted, commented, filtered, checked, incompleteDetails, aggregatedBaseEvent, remoteStorage, hasDetails, hasPayload, hasPcap, associatedToCaseByFilter, severityIncreasedByFilter, severityReducedByFilter, createdByAnalysisFilter, extendEventTtl, initialTuning, postAnalysis, partialSslTerminated, sslTerminated, autoReport, missingTimestamp, clockOutOfSync, dropAnalysis, escalatedByReputation, hasSample, storeEvent, storeAggregated, handledByAnalyst, slaViolation, payloadTruncated, hasStringPayload, reassessed, eventFromOtEnvironment, eventFromRestrictedItEnvironment, failure
Tool: listArgusEndpointFlags#
Purpose
Return the allowed endpoint flag values for endpoint filtering within Argus event search.
Arguments
This tool takes no arguments.
Current returned values
isCustomerNet, isPartialCustomerNet, customAggregation, isManagedBySoc
Tool: listArgusEventSearchSortBy#
Purpose
Return the allowed sortBy values for Argus event search.
Arguments
This tool takes no arguments.
Current returned values
customerID, eventID, createdTimestamp, lastUpdatedTimestamp, firstEventTimestamp, lastEventTimestamp