Argus Match Filter MCP Tools#

These MCP tools let you retrieve Argus match filters from the event filter API.

They support two common tasks:

  • fetch one match filter by ID

  • search match filters using a structured request

General Notes#

  • Use these tools when you want the LLM to retrieve match filter data from Argus APIs.

  • If you ask the LLM to search match filters, it may first use the match filter search translator tools to construct and validate the search request and then use the search tool to fetch results.

  • Each search tool call returns only one page of results. It does not automatically fetch additional pages.

  • When more results may exist, the response includes pagination metadata under page, such as nextOffset, stop, and reason, which the LLM can use if you ask it to continue.

  • Search pagination supports 1 to 100 items per page.

  • If event flags or sorting are involved, the LLM can use the match filter search translator tools to look up valid values before retrieving results.

Tool: getMatchFilterByID#

Purpose

Fetch full details for one Argus match filter by ID. The response includes match and transform code for the detection rule.

Arguments

Field

Description

Type

Default

Required

filterID

The match filter ID to fetch.

number

None

Yes

Tool: executeSearchArgusMatchFilter#

Purpose

Retrieve Argus match filter search results for the search criteria the LLM has prepared.

Arguments

Field

Description

Type

Default

Required

request

The full match filter search definition the LLM builds from your request.

object

None

Yes

request fields#

Field

Description

Type

Default

Required

filterID

Match filters by any of these filter IDs.

array<number>

None

No

customer

Match filters belonging to any of the specified customers, using customer ID or short name.

array<string>

None

No

includeAscendingCustomer

When customer filtering is used, also include parent customers.

boolean

false

No

includeDescendingCustomer

When customer filtering is used, also include child customers.

boolean

true

No

includeFilterFlag

Match filter flags that must all be present. Allowed values: enabled, controlled.

array<string>

None

No

excludeFilterFlag

Match filter flags that must not be present. Exclusion still applies even if included flags match. Allowed values: enabled, controlled.

array<string>

None

No

filterType

Match filter types to include. Allowed values: matchRawEvent, matchAggregatedEvent, matchAnyEvent.

array<string>

None

No

associatedCaseID

Match filters associated with any of these case IDs.

array<number>

None

No

alarmID

Match filters targeting any of these alarm IDs.

array<number>

None

No

attackCategory

Match filters targeting any of these attack categories, using ID or short name.

array<string>

None

No

sensorLocation

Match filters for any of these sensor locations, using ID or short name.

array<string>

None

No

includeEventFlag

Argus event flags that must be associated with the match filter.

array<string>

None

No

excludeEventFlag

Argus event flags that must not be associated with the match filter.

array<string>

None

No

keywordFilter

Keyword-based matching across match filter fields.

object

None

No

timeFilter

Time-based narrowing for match filter search.

object

None

No

includeCode

Whether match and transform code should be included in the result objects.

boolean

true

No

page

Pagination settings.

object

{ "limit": 25, "offset": 0 }

No

sortBy

Sort order list. Use list order as priority. Prefix with - for descending.

array<string>

None

No

request.keywordFilter fields#

Field

Description

Type

Default

Required

keywords

Search terms to match.

array<string>

None

No

keywordField

Which match filter keyword fields to search. Allowed values: id, name, description, label, protocol, domainPattern, uriPattern, signature, propertyKey, propertyValue, matchCode, transformCode, newAggregationKey, all.

array<string>

["all"]

No

keywordMatch

How to evaluate multiple keywords. Allowed values: any, all. Required when keywords are present.

string

all

No

request.timeFilter fields#

Field

Description

Type

Default

Required

timeField

Which match filter time field(s) the range applies to. Allowed values: validFrom, validTo, created, lastUpdated.

array<string>

["lastUpdated"]

No

startTime

Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as startOfDay - 1 day.

string

None

No

endTime

End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as now.

string

now

No

timeMatchStrategy

How to evaluate multiple timeField values. Allowed values: any, all. Mainly relevant when more than one time field is provided.

string

any

No

request.page fields#

Field

Description

Type

Default

Required

limit

Maximum number of items per page. Accepted range: 1 to 100.

number

25

No

offset

Number of items to skip before returning results. Must be 0 or greater.

number

0

No

Usage notes

  • If your request is a search, the LLM may first use generateArgusMatchFilterSearchQuery to shape and validate the query.

  • If you want match and transform code excluded from the results, ask for that explicitly so the LLM can disable includeCode.

  • If you want more than one page of results, ask the LLM to continue fetching more pages. The tool itself returns one page at a time.

  • For descending sorting, the LLM can use a - prefix such as -validFrom.

  • matchAnyEvent is a distinct filter type for filters explicitly configured for both raw and aggregated events. It is not a shortcut for selecting raw and aggregated filters together.