Skip to content

Argus Case Search Translator MCP Tools

These MCP tools help you build and validate Argus case search queries.

They support two main needs:

  • generate a structured case search query
  • discover valid values for flags, workflows, and sorting fields before building the query

General Notes

  • Use this tool when you want the LLM to turn your case-search intent into a valid search query.
  • Describe what you want to find in plain language, and the LLM can use the request fields in this document to build the search.
  • If your request involves case flags, service flags, workflows, or sorting, the LLM can look up the allowed values before building the query.
  • This applies to includeCaseFlag, excludeCaseFlag, serviceFilter.includeCaseServiceFlag, serviceFilter.excludeCaseServiceFlag, sortBy, and workflow[].flow.
  • The returned values are case-sensitive, so the LLM should keep them exactly as returned.
  • If you want actual search results after building the query, the LLM can then use the case search execution tool with the same search intent.

Tool: generateArgusCaseSearchQuery

Purpose

Generate an Argus case search query from your search intent.

Arguments

Argument: request

High-level purpose: the full case search definition the LLM builds from your request.

  • Type: object
  • Required: Yes
  • Default: None

request fields

Field Description Type Default Required
asset Match cases associated with any of the specified assets, using asset ID or short name. array<string> None No
customer Match cases belonging to any of the specified customers, using customer ID or short name. array<string> None No
caseID Match specific case IDs. array<number> None No
type Match case types. Allowed values: securityIncident, operationalIncident, information, change. array<string> None No
serviceFilter Match case service criteria. object None No
category Match case categories, using category ID or short name. array<string> None No
currentPriority Match current priority values. Allowed values: low, medium, high, critical. array<string> None No
initialPriority Match initial priority values. Allowed values: low, medium, high, critical. array<string> None No
currentStatus Match current case status values. array<string> None No
initialStatus Match initial case status values. array<string> None No
timeFilter Time-based narrowing for case search. object { "timeField": ["all"], "startTime": "startOfDay", "endTime": "now", "timeMatchStrategy": "any" } No
tag Tag-based case filter criteria. array<object> None No
workflow Workflow-based case filter criteria. array<object> None No
caseField Case field metadata filter criteria. array<object> None No
keywordFilter Keyword-based search across case text fields. object None No
userFilter User or user-group based case filtering. object None No
userAssigned Filter specifically on whether a user is assigned. boolean None No
techAssigned Filter specifically on whether technical personnel is assigned. boolean None No
caseAccessMode Match case access modes. Allowed values: roleBased, readRestricted, writeRestricted, explicit. array<string> None No
caseExplicitAccessFilter Match explicit-access grant criteria. When multiple criteria are provided, all must match. array<object> None No
includeCaseFlag Case flags that must all be present. When this filter is involved, the LLM can look up the allowed flag values behind the scenes. array<string> None No
excludeCaseFlag Case flags that must not be present. When this filter is involved, the LLM can look up the allowed flag values behind the scenes. array<string> None No
page Pagination settings. object { "limit": 25, "offset": 0 } No
sortBy Sort order list. Use list order as priority. Prefix with - for descending. When sorting is involved, the LLM can look up the allowed sort values behind the scenes. array<string> None No

request.serviceFilter fields

Field Description Type Default Required
caseService Match cases with any of these case service IDs or short names. array<string> None No
includeCaseServiceFlag Service flags that must all be present. When this filter is involved, the LLM can look up the allowed flag values behind the scenes. array<string> None No
excludeCaseServiceFlag Service flags that must not be present. When this filter is involved, the LLM can look up the allowed flag values behind the scenes. array<string> None No

request.timeFilter fields

Field Description Type Default Required
timeField Which case time field(s) the range applies to. Allowed values: createdTimestamp, lastUpdatedTimestamp, closedTimestamp, publishedTimestamp, customerDueTimestamp, techDueTimestamp, all. array<string> ["all"] No
startTime Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as startOfDay - 1 day. string startOfDay No
endTime End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as now. string now No
timeMatchStrategy How to evaluate multiple timeField values. Allowed values: any, all. string any No

request.tag[] fields

Field Description Type Default Required
tagKey The exact tag key or name to search for. string None Yes
value Tag values to match. Optional when checking only whether the tag exists. array<string> None No
searchCondition How to apply this tag criterion. Allowed values: MATCH, NEGATE, EXCLUDE_TAG. string None Yes

request.workflow[] fields

Field Description Type Default Required
flow Workflow token to match. When this filter is involved, the LLM can look up the allowed workflow values behind the scenes. string None Yes
acknowledgeStatus Workflow acknowledgement filter. Allowed values: acknowledged, unacknowledged, all. string all No
exclude Negate this criterion. boolean false No

request.caseField[] fields

Field Description Type Default Required
fieldName The exact case field name to search for. string None Yes
value Field values to match. Optional when checking only whether the field exists. array<string> None No
searchCondition How to apply this field criterion. Allowed values: MATCH, NEGATE, EXCLUDE_FIELD. string None Yes

request.keywordFilter fields

Field Description Type Default Required
keywords Search terms to match. array<string> None No
keywordField Which case text fields to search. Allowed values: subject, description, comments, customerReference, id, all. array<string> None No
keywordMatch How to evaluate multiple keywords. Allowed values: any, all. string None No

request.userFilter fields

Field Description Type Default Required
user User IDs, user names, or user-group names to match. array<string> None No
userField Which user-related case fields to search. Allowed values: reporter, assignedUser, assignedTech, createdByUser, lastUpdatedByUser, closedByUser, publishedByUser, commentedByUser, watchedByUser, all. array<string> ["all"] No

request.caseExplicitAccessFilter[] fields

Field Description Type Default Required
startTime Match cases with explicit access granted after this time. Uses the same time formats as other time filters. string None No
endTime Match cases with explicit access granted before this time. Uses the same time formats as other time filters. string None No
accessLevel Match explicit access levels. Allowed values: read, write, owner. array<string> None No
user User IDs, user names, or user-group names whose explicit access grants should match. array<string> None No
includeAncestor Whether to include the specified users and their ancestors when matching access grants. boolean false No

request.page fields

Field Description Type Default Required
limit Maximum number of items per page. Accepted range: 1 to 100. number 25 No
offset Number of items to skip before returning results. Must be 0 or greater. number 0 No

Usage notes

  • Case search pagination supports 1 to 100 items per page. Values outside that range will fail.
  • For descending sorting, the LLM can use a - prefix such as -createdTimestamp.
  • currentStatus and initialStatus support: pendingCustomer, pendingSoc, pendingVendor, workingSoc, workingCustomer, pendingClose, closed.
  • Tag and case-field filters support both value matching and existence checks.

Tool: listArgusCaseFlags

Purpose

Return the allowed case flag values for case search.

Arguments

This tool takes no arguments.

Current returned values

DELETED, EXTERNAL_SYNC, HAS_ATTACHMENT, INTERNAL, MAIL_UPDATE, MERGED, NOTIFIED, PUBLISHED, SUBMITTED_BY_ANONYMOUS_USER, SUBMITTED_BY_OTHER_USER, DEFAULT_CONTACTS, DESCRIPTION_EDITED, SUBMITTED_BY_TECH, SUBJECT_EDITED, HAS_EVENTS, TEST_DATA, HAS_COMMENTS, REOPENED, CREATED_AS_PUBLISHED

Tool: listArgusCaseSearchSortBy

Purpose

Return the allowed sortBy values for case search.

Arguments

This tool takes no arguments.

Current returned values

id, reporter, createdByUser, createdTimestamp, lastUpdatedByUser, lastUpdatedTimestamp, assignedUser, assignedTech, closedByUser, closedTimestamp, customerDueTimestamp, techDueTimestamp, publishedByUser, publishedTimestamp, customer, priority, status, type, service, category, subject

Tool: listArgusCaseServiceFlags

Purpose

Return the allowed case service flag values for service filtering within case search.

Arguments

This tool takes no arguments.

Current returned values

DELETED, HANDLED_BY_SOC, MONITORED_BY_SOC_OUTSIDE_OFFICEHOURS, DEPRECATED, EVENT_ENABLED

Tool: listArgusCaseWorkflow

Purpose

Return the allowed workflow values for case search.

Arguments

This tool takes no arguments.

Current returned values

validation, nocValidation, tuning, escalation, customerUpdate, escalateTI, escalateNSA, escalateLog, escalateInfra, escalateDetection, escalateOperations, escalateMSI, escalateMSIAnalyst, severityAlert, slaViolation, internalSlaViolation, delegateToSOC, escalateDEV, escalateTRS, escalateMSSAnalyst, escalateTAM, qaValidation, socAnalysis, escalateO3C