Argus Asset Search Translator MCP Tools¶
This document describes the MCP tools available for Argus asset search and asset statistics translation.
These tools help users:
- build an Argus asset search query payload
- build an Argus asset statistics query payload
- discover valid values for asset search sorting
- validate pagination and sorting before retrieving results
General Notes¶
- Use these tools when you want the LLM to turn your asset search or asset statistics intent into a valid query.
- Argus assets represent entities monitored and protected for a customer. Asset definitions describe which data components an asset type can contain.
- Asset searches and statistics must be scoped to an asset definition. Supported values are
HostAssetandQualysHostAsset; the default isHostAsset. - If sorting is involved, the LLM can look up the allowed
sortByvalues before building the search query. - Returned allowed values are case-sensitive, so the LLM should keep them exactly as returned.
- If you want actual search results or calculated statistics after building a query, the LLM can then use the asset execution tools with the same search or statistics intent.
Tool: generateArgusAssetSearchQuery¶
Purpose
Generate an Argus asset search query from your search intent. The result is the generated asset search JSON.
Arguments
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
request |
The full asset search definition the LLM builds from your request. | object |
None | Yes |
assetDefinition |
Asset definition to search. Allowed values: HostAsset, QualysHostAsset. |
string |
HostAsset |
Yes |
request fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
customer |
Match assets belonging to any of the specified customers, using customer ID or short name. | array<string> |
None | No |
idOrShortName |
Match assets by any of the specified asset IDs or short names. | array<string> |
None | No |
dataSource |
Match assets detected or reported by any of these data sources, using ID or short name. | array<string> |
None | No |
componentFilter |
Component-based asset filters. Each item targets one component definition. | array<object> |
None | No |
vulnerabilityFilter |
Vulnerability-based filters, including severity, CIA impact, CVSS, references, IDs, and resolution. | object |
None | No |
timeFilter |
Time-based narrowing for asset search. | object |
{ "timeField": ["lastUpdatedTimestamp"], "startTime": "startOfDay", "endTime": "now", "timeMatchStrategy": "any" } |
No |
keywordFilter |
Keyword-based matching across asset and vulnerability fields. | object |
None | No |
userFilter |
User or user-group related asset filters. | object |
None | No |
groupFilter |
Asset group membership filters. | object |
None | No |
includeFlags |
Asset flags that must all be present. Allowed values: hasHighVulnerability, hasCriticalVulnerability, exploitAvailable. |
array<string> |
None | No |
excludeFlags |
Asset flags that must not be present. Exclusion still applies even if included flags match. Allowed values: hasHighVulnerability, hasCriticalVulnerability, exploitAvailable. |
array<string> |
None | No |
page |
Pagination settings. | object |
{ "limit": 25, "offset": 0 } |
No |
sortBy |
Sort order list. Use list order as priority. Prefix with - for descending. When sorting is involved, the LLM can look up the allowed sort values behind the scenes. |
array<string> |
None | No |
request.componentFilter[] fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
componentDefinition |
Component definition ID or name. | string |
None | No |
value |
Component values to match for the specified component definition. Any listed value may match. | array<string> |
None | No |
request.vulnerabilityFilter fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
vulnerabilityID |
Vulnerability identifiers affecting the asset. | array<string> |
None | No |
vulnerabilityReference |
Vulnerability references to match. | array<string> |
None | No |
vulnerabilityResolution |
Vulnerability resolution states. Allowed values: unresolved, accepted, temporarilyAccepted, falsePositive, serviceNotAvailable, noLongerVulnerable. |
array<string> |
None | No |
vulnerabilitySeverity |
Overall vulnerability risk severity. Allowed values: unknown, low, medium, high, critical. |
array<string> |
None | No |
confidentiality |
CIA confidentiality impact level. Allowed values: unknown, low, medium, high, critical. Do not use this as the overall risk severity. |
array<string> |
None | No |
availability |
CIA availability impact level. Allowed values: unknown, low, medium, high, critical. Do not use this as the overall risk severity. |
array<string> |
None | No |
integrity |
CIA integrity impact level. Allowed values: unknown, low, medium, high, critical. Do not use this as the overall risk severity. |
array<string> |
None | No |
minimumTotalCVSS |
Match assets whose total vulnerability CVSS score is greater than this value. | number |
None | No |
maximumTotalCVSS |
Match assets whose total vulnerability CVSS score is less than this value. | number |
None | No |
request.timeFilter fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
timeField |
Which asset or vulnerability time field(s) the range applies to. Allowed values: assetAll, firstSeenTimestamp, lastSeenTimestamp, lastScanTimestamp, createdTimestamp, lastUpdatedTimestamp, deletedTimestamp, expireTimestamp, vulnerabilityAll, vulnerabilityResolutionTimestamp, vulnerabilityResolutionExpiryTimestamp, vulnerabilityFirstSeenTimestamp, vulnerabilityLastSeenTimestamp, vulnerabilityExpireTimestamp, vulnerabilityCreatedTimestamp, vulnerabilityLastUpdatedTimestamp, vulnerabilityDeletedTimestamp, exploitAvailable, all. |
array<string> |
["lastUpdatedTimestamp"] |
No |
startTime |
Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as startOfDay - 1 day. |
string |
startOfDay |
No |
endTime |
End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as now. |
string |
now |
No |
timeMatchStrategy |
How to evaluate multiple timeField values. Allowed values: any, all. Mainly relevant when more than one time field is provided. |
string |
any |
No |
request.keywordFilter fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
keywords |
Search terms to match. | array<string> |
None | No |
keywordField |
Which asset keyword fields to search. Allowed values: assetAll, shortName, name, description, vulnerabilityDefinitionAll, references, vulnerabilityID, vulnerabilityName, all. |
array<string> |
["assetAll"] |
No |
keywordMatch |
How to evaluate multiple keywords. Allowed values: any, all. Required when keywords are present. |
string |
all |
No |
request.userFilter fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
user |
User or user-group IDs or names to match. Any listed value may match. | array<string> |
None | No |
userField |
Which user fields to search. Allowed values: firstSeenByUser, lastSeenByUser, createdByUser, lastUpdatedByUser, deletedByUser, owner, all. |
array<string> |
["all"] |
No |
request.groupFilter fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
groupRelationship |
Whether assets must have groups, must have no groups, or either is acceptable. Allowed values: hasGroup, withoutGroup, notMatter. |
string |
notMatter |
No |
assetGroup |
Asset group IDs or short names. Any listed group may match. | array<string> |
None | No |
groupScope |
Whether group matching is direct only or includes descendant groups. Allowed values: direct, subtree. |
string |
None | No |
includeGroupInfo |
Whether group information should be included in search results. | boolean |
false |
No |
request.page fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
limit |
Maximum number of items per page. Accepted range: 1 to 100. |
number |
25 |
No |
offset |
Number of items to skip before returning results. Must be 0 or greater. |
number |
0 |
No |
Usage notes
- Asset search pagination supports
1to100items per page. Values outside that range will fail. - For descending sorting, the LLM can use a
-prefix such as-lastUpdatedTimestamp. - Use
vulnerabilitySeverityfor overall risk severity. Useconfidentiality,availability, orintegrityonly for CIA impact-specific filtering.
Tool: generateArgusAssetStatisticsQuery¶
Purpose
Generate an Argus asset statistics query from your statistics intent. The result is the generated asset statistics JSON.
Arguments
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
request |
The full asset statistics definition the LLM builds from your request. | object |
None | Yes |
assetDefinition |
Asset definition to calculate statistics for. Allowed values: HostAsset, QualysHostAsset. |
string |
HostAsset |
Yes |
request fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
filter |
Filters used to choose the asset population before statistics are calculated. It supports the same filter fields as asset search, except pagination and sorting. | object |
Empty filter with default time range | No |
assetStatistics |
Statistics and aggregations to generate over the filtered assets. At least one output instruction is needed for a meaningful statistics query. | object |
Empty statistics request | Yes |
request.assetStatistics fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
timeRangeMetrics |
Time-based metrics over filtered assets. Use for requests such as assets created per day or last seen per week. | array<object> |
None | No |
numericMetrics |
Numeric summary metrics over supported asset fields. | array<object> |
None | No |
groupBy |
Fields to group statistics by. List order controls the hierarchy. | array<object> |
None | No |
At least one of timeRangeMetrics, numericMetrics, or groupBy should be present.
request.assetStatistics.timeRangeMetrics[] fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
name |
Unique name for this metric in the statistics request. Use a short name with letters, numbers, underscore, colon, dot, or dash. | string |
Generated if omitted | No |
timestampField |
Timestamp field used for the metric. Allowed values: created, deleted, lastSeen, lastUpdated. |
string |
None | Yes |
resolution |
Time bucket resolution. Allowed values: hour, day, week, month, year. |
string |
None | No |
includeEmptyBuckets |
Whether empty time buckets should appear in the result. | boolean |
None | No |
request.assetStatistics.numericMetrics[] fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
numericField |
Numeric asset field to summarize. Allowed values: vulnerabilities, cvss. |
string |
None | Yes |
request.assetStatistics.groupBy[] fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
field |
Asset field to group by. Allowed values: customer, assetGroup. |
string |
None | Yes |
limit |
Maximum number of buckets for this group level. | number |
25 |
No |
Usage notes
- Statistics results are scoped trees, not flat lists. When grouping is used, each child bucket is constrained by its parent buckets.
- If no filter time range is requested, the LLM can omit it and let the default filter time range apply.
- Do not use the statistics query for a plain asset list. Use asset search when the user asks to retrieve assets.
Tool: listArgusAssetSearchSortBy¶
Purpose
Return the allowed sortBy values for Argus asset search.
Arguments
This tool takes no arguments.
Current returned values
id, customerID, shortName, name, ownerID, firstSeenTimestamp, lastSeenTimestamp, lastScanTimestamp, createdTimestamp, lastUpdatedTimestamp, deletedTimestamp, totalCVSS, vulnerabilitiesCount