Argus Match Filter Search Translator MCP Tools#

This document describes the MCP tools available for Argus match filter search translation.

These tools help users:

  • build an Argus match filter search query payload

  • discover valid values for match filter event flags

  • discover valid values for match filter sorting

  • validate search pagination, event flags, and sort fields before retrieving results

General Notes#

  • Use these tools when you want the LLM to turn your match-filter search intent into a valid search query.

  • Argus match filters define detection rules that identify relevant events from the real-time security event stream and can transform matching events.

  • Describe what you want to find in plain language, and the LLM can use the request fields in this document to build the search.

  • If your request involves event flags or sorting, the LLM can look up the allowed values before building the query.

  • This applies to includeEventFlag, excludeEventFlag, and sortBy.

  • Returned allowed values are case-sensitive, so the LLM should keep them exactly as returned.

  • If you want actual search results after building the query, the LLM can then use the match filter search execution tool with the same search intent.

Tool: generateArgusMatchFilterSearchQuery#

Purpose

Generate an Argus match filter search query from your search intent. The result is the generated match filter search JSON.

Arguments

Argument: request#

High-level purpose: the full match filter search definition the LLM builds from your request.

  • Type: object

  • Required: Yes

  • Default: None

request fields#

Field

Description

Type

Default

Required

filterID

Match filters by any of these filter IDs.

array<number>

None

No

customer

Match filters belonging to any of the specified customers, using customer ID or short name.

array<string>

None

No

includeAscendingCustomer

When customer filtering is used, also include parent customers.

boolean

false

No

includeDescendingCustomer

When customer filtering is used, also include child customers.

boolean

true

No

includeFilterFlag

Match filter flags that must all be present. Allowed values: enabled, controlled.

array<string>

None

No

excludeFilterFlag

Match filter flags that must not be present. Exclusion still applies even if included flags match. Allowed values: enabled, controlled.

array<string>

None

No

filterType

Match filter types to include. Allowed values: matchRawEvent, matchAggregatedEvent, matchAnyEvent.

array<string>

None

No

associatedCaseID

Match filters associated with any of these case IDs.

array<number>

None

No

alarmID

Match filters targeting any of these alarm IDs.

array<number>

None

No

attackCategory

Match filters targeting any of these attack categories, using ID or short name.

array<string>

None

No

sensorLocation

Match filters for any of these sensor locations, using ID or short name.

array<string>

None

No

includeEventFlag

Argus event flags that must be associated with the match filter. When this filter is involved, the LLM can look up the allowed flag values behind the scenes.

array<string>

None

No

excludeEventFlag

Argus event flags that must not be associated with the match filter. When this filter is involved, the LLM can look up the allowed flag values behind the scenes.

array<string>

None

No

keywordFilter

Keyword-based matching across match filter fields.

object

None

No

timeFilter

Time-based narrowing for match filter search.

object

None

No

includeCode

Whether match and transform code should be included in the result objects.

boolean

true

No

page

Pagination settings.

object

{ "limit": 25, "offset": 0 }

No

sortBy

Sort order list. Use list order as priority. Prefix with - for descending. When sorting is involved, the LLM can look up the allowed sort values behind the scenes.

array<string>

None

No

request.keywordFilter fields#

Field

Description

Type

Default

Required

keywords

Search terms to match.

array<string>

None

No

keywordField

Which match filter keyword fields to search. Allowed values: id, name, description, label, protocol, domainPattern, uriPattern, signature, propertyKey, propertyValue, matchCode, transformCode, newAggregationKey, all.

array<string>

["all"]

No

keywordMatch

How to evaluate multiple keywords. Allowed values: any, all. Required when keywords are present.

string

all

No

request.timeFilter fields#

Field

Description

Type

Default

Required

timeField

Which match filter time field(s) the range applies to. Allowed values: validFrom, validTo, created, lastUpdated.

array<string>

["lastUpdated"]

No

startTime

Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as startOfDay - 1 day.

string

None

No

endTime

End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as now.

string

now

No

timeMatchStrategy

How to evaluate multiple timeField values. Allowed values: any, all. Mainly relevant when more than one time field is provided.

string

any

No

request.page fields#

Field

Description

Type

Default

Required

limit

Maximum number of items per page. Accepted range: 1 to 100.

number

25

No

offset

Number of items to skip before returning results. Must be 0 or greater.

number

0

No

Usage notes

  • Match filter search pagination supports 1 to 100 items per page. Values outside that range will fail.

  • For descending sorting, the LLM can use a - prefix such as -validFrom.

  • matchAnyEvent is a distinct filter type for filters explicitly configured for both raw and aggregated events. It is not a shortcut for selecting raw and aggregated filters together.

  • To search for event property existence, the LLM can use propertyKey. To search for event property values, it can use propertyValue.

  • Ask explicitly if you want match and transform code excluded from search results, since code is included by default.

Tool: listArgusMatchFilterSearchSortBy#

Purpose

Return the allowed sortBy values for Argus match filter search.

Arguments

This tool takes no arguments.

Current returned values

id, name, validFrom, validTo, created, lastUpdated

Tool: listMatchFilterArgusEventFlags#

Purpose

Return the allowed event flag values for Argus match filter search.

Arguments

This tool takes no arguments.

Current returned values

ESTABLISHED, BLOCKED, SNAPSHOT, FINALIZED, SOURCE_IS_CUSTOMERNET, DESTINATION_IS_CUSTOMERNET, SOURCE_IS_PARTIAL_CUSTOMERNET, DESTINATION_IS_PARTIAL_CUSTOMERNET, PARTIALLY_BLOCKED, FALSE_POSITIVE, NOT_A_THREAT, TUNING_CANDIDATE, NOTIFIED, PARTIALLY_NOTIFIED, FOLLOWUP, IDENTIFIED_THREAT, THREAT_CANDIDATE, ACKNOWLEDGED, PARTIALLY_ACKNOWLEDGED, SEVERITY_ADJUSTED, COMMENTED, FILTERED, CHECKED, INCOMPLETE_DETAILS, AGGREGATED_BASE_EVENT, REMOTE_STORAGE, CUSTOM_SOURCE_AGGREGATION, CUSTOM_DESTINATION_AGGREGATION, ASSOCIATED_TO_CASE_BY_FILTER, SEVERITY_INCREASED_BY_FILTER, SEVERITY_REDUCED_BY_FILTER, CREATED_BY_ANALYSIS_FILTER, IP_INVERTED_BY_FILTER, HAS_PAYLOAD, HAS_PCAP, EXTEND_EVENT_TTL, INITIAL_TUNING, PARTIAL_INITIAL_TUNING, POST_ANALYSIS, SSL_TERMINATED, PARTIAL_SSL_TERMINATED, AUTO_REPORT, MISSING_TIMESTAMP, CLOCK_OUT_OF_SYNC, DROP_ANALYSIS, ESCALATED_BY_REPUTATION, HAS_SAMPLE, STORE_EVENT, STORE_AGGREGATED, EVENT_FROM_OT_ENVIRONMENT, EVENT_FROM_RESTRICTED_IT_ENVIRONMENT, FAILURE