Argus Alarm Search Translator MCP Tools¶
These MCP tools help you build and validate Argus alarm and attack-category search queries.
They support two main needs:
- generate a structured alarm or attack-category search query
- discover valid sorting fields before building the query
General Notes¶
- Use these tools when you want the LLM to turn your alarm-search or attack-category-search intent into a valid search query.
- Describe what you want to find in plain language, and the LLM can use the request fields in this document to build the search.
- If your request involves sorting, the LLM can look up the allowed values before building the query.
- This applies to
sortByfor both alarm and attack-category searches. - The returned sort values are case-sensitive, so the LLM should keep them exactly as returned.
- If you want actual search results after building the query, the LLM can then use the alarm search execution tool with the same search intent.
Tool: generateArgusAlarmSearchQuery¶
Purpose
Generate an Argus alarm search query from your search intent.
Arguments
Argument: request¶
High-level purpose: the full alarm search definition the LLM builds from your request.
- Type:
object - Required: Yes
- Default: None
Argument: includeMappings¶
High-level purpose: tells the LLM whether alarm security signature mapping details should be included when it prepares the search and later fetches results.
- Type:
boolean - Required: Yes
- Default:
false
request fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
idOrShortName |
Match alarms by any of the specified alarm IDs or short names. | array<string> |
None | No |
attackCategoryID |
Match alarms belonging to any of the specified attack category IDs. | array<number> |
None | No |
signature |
Match alarms with any of the specified security signatures. This is exact matching; use keywordFilter for case-insensitive text matching. |
array<string> |
None | No |
reference |
Match alarms with any of the specified references. This is exact matching; use keywordFilter for case-insensitive text matching. |
array<string> |
None | No |
label |
Match alarms with any of the specified labels. This is exact matching; use keywordFilter for case-insensitive text matching. |
array<string> |
None | No |
keywordFilter |
Keyword-based matching across alarm text fields. | object |
None | No |
timeFilter |
Time-based narrowing for alarm search. | object |
None | No |
page |
Pagination settings. | object |
{ "limit": 25, "offset": 0 } |
No |
sortBy |
Sort order list. Use list order as priority. Prefix with - for descending. When sorting is involved, the LLM can look up the allowed sort values behind the scenes. |
array<string> |
None | No |
request.keywordFilter fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
keywords |
Search terms to match. | array<string> |
None | No |
keywordField |
Which alarm keyword fields to search. Allowed values: id, shortName, signature, description, reference, label, all. |
array<string> |
["all"] |
No |
keywordMatch |
How to evaluate multiple keywords. Allowed values: any, all. |
string |
all |
No |
request.timeFilter fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
timeField |
Which alarm time field(s) the range applies to. Allowed values: createdTimestamp, lastUpdatedTimestamp, lastCheckTimestamp, nextCheckTimestamp, all. |
array<string> |
["lastUpdatedTimestamp"] |
No |
startTime |
Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as startOfDay - 1 day. |
string |
None | No |
endTime |
End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as now. |
string |
None | No |
timeMatchStrategy |
How to evaluate multiple timeField values. Allowed values: any, all. Mainly relevant when more than one time field is provided. |
string |
any |
No |
request.page fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
limit |
Maximum number of items per page. Accepted range: 1 to 100. |
number |
25 |
No |
offset |
Number of items to skip before returning results. Must be 0 or greater. |
number |
0 |
No |
Usage notes
- If you want alarm security signature mapping details included in the results, ask for that explicitly so the LLM can enable
includeMappings. - Alarm search pagination supports
1to100items per page. Values outside that range will fail. - For descending sorting, the LLM can use a
-prefix such as-lastUpdatedTimestamp. - Exact fields such as
signature,reference, andlabelkeep the requested text literally. For looser text matching, ask for keyword matching instead.
Tool: listArgusAlarmSearchSortBy¶
Purpose
Return the allowed sortBy values for Argus alarm search.
Arguments
This tool takes no arguments.
Current returned values
id, lastUpdatedTimestamp, description, attackCategory
Tool: generateArgusAttackCategorySearchQuery¶
Purpose
Generate an Argus attack-category search query from your search intent.
Arguments
Argument: request¶
High-level purpose: the full attack-category search definition the LLM builds from your request.
- Type:
object - Required: Yes
- Default: None
request fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
idOrShortName |
Match attack categories by any of the specified IDs or short names. | array<string> |
None | No |
keywordFilter |
Keyword-based matching across attack-category text fields. | object |
None | No |
timeFilter |
Time-based narrowing for attack-category search. | object |
None | No |
page |
Pagination settings. | object |
{ "limit": 25, "offset": 0 } |
No |
sortBy |
Sort order list. Use list order as priority. Prefix with - for descending. When sorting is involved, the LLM can look up the allowed sort values behind the scenes. |
array<string> |
None | No |
request.keywordFilter fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
keywords |
Search terms to match. | array<string> |
None | No |
keywordField |
Which attack-category keyword fields to search. Allowed values: id, shortName, name, info, all. |
array<string> |
["all"] |
No |
keywordMatch |
How to evaluate multiple keywords. Allowed values: any, all. |
string |
all |
No |
request.timeFilter fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
timeField |
Which attack-category time field(s) the range applies to. Allowed values: createdTimestamp, lastUpdatedTimestamp, all. |
array<string> |
["lastUpdatedTimestamp"] |
No |
startTime |
Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as startOfDay - 1 day. |
string |
None | No |
endTime |
End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as now. |
string |
None | No |
timeMatchStrategy |
How to evaluate multiple timeField values. Allowed values: any, all. Mainly relevant when more than one time field is provided. |
string |
any |
No |
request.page fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
limit |
Maximum number of items per page. Accepted range: 1 to 100. |
number |
25 |
No |
offset |
Number of items to skip before returning results. Must be 0 or greater. |
number |
0 |
No |
Usage notes
- Attack-category search pagination supports
1to100items per page. Values outside that range will fail. - For descending sorting, the LLM can use a
-prefix such as-info. idOrShortNameis the direct ID or short-name filter. UsekeywordFilterwhen the request asks for text matching in names or information fields.
Tool: listArgusAttackCategorySearchSortBy¶
Purpose
Return the allowed sortBy values for Argus attack-category search.
Arguments
This tool takes no arguments.
Current returned values
id, shortName, name, info