Argus Event Search Translator MCP Tools¶
These tools help the LLM express event-related search intent as valid Argus query JSON before execution.
They support:
- building event search criteria and a shareable Argus portal search link
- building event statistics criteria for counts, grouped buckets, and time-based timelines
- looking up valid event flags, endpoint flags, and event search sort values
General Notes¶
- Use these tools when you want the LLM to prepare a valid event search or event statistics query from plain-language intent.
- If the request involves event flags, endpoint flags, or event search sorting, the LLM can resolve allowed values with the list tools behind the scenes.
- Allowed event flag, endpoint flag, and sort values are case-sensitive.
- Search translation returns criteria plus a shareable link. Statistics translation returns only the statistics criteria.
- If you want live Argus results after translation, the LLM can use the corresponding Event REST MCP tool with the same search or statistics intent.
- Event statistics requests need at least one output instruction:
statistics.groupByorstatistics.timeRangeMetrics.
Tool: generateArgusEventSearchQuery¶
Purpose
Generate an Argus event search query from event-search intent. The result contains:
searchCriteria: generated Event V2 search JSONsearchLink: shareable Argus portal link for the same search
Arguments
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
request |
Event search definition the LLM builds from the request. | object |
None | Yes |
includeProperties |
Whether event properties should be included when searching and fetching results. | boolean |
false |
Yes |
request Fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
associateCaseID |
Match events associated with any of these case IDs. 0 means events with no associated case. |
array<number> |
None | No |
attack |
Attack-related criteria. Each item is one criterion. | array<object> |
None | No |
customer |
Match events belonging to any customer ID or short name. | array<string> |
None | No |
domainName |
Match events with any of these domain names. | array<string> |
None | No |
endpoint |
Endpoint-related criteria for source or destination endpoints. | array<object> |
None | No |
severity |
Match event severity. Allowed values: low, medium, high, critical. |
array<string> |
None | No |
eventIdentifier |
Match specific event identifiers. | array<string> |
None | No |
type |
Match event type. Allowed values: aggregated, raw. |
array<string> |
None | No |
timeFilter |
Time-based narrowing for the event search. | object |
{ "timeField": ["created"], "startTime": "startOfDay", "endTime": "now", "timeMatchStrategy": "any" } |
No |
includeEventFlag |
Event flags that matching events must contain. The LLM can look up allowed values. | array<string> |
None | No |
excludeEventFlag |
Event flags that matching events must not contain. The LLM can look up allowed values. | array<string> |
None | No |
property |
Event property criteria. | array<object> |
None | No |
page |
Pagination settings. | object |
{ "limit": 25, "offset": 0 } |
No |
sortBy |
Search result sort order. Use list order as priority. Prefix with - for descending. The LLM can look up allowed sort values. |
array<string> |
None | No |
request.attack[] Fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
alarm |
Match events triggered by any of these alarms, using alarm ID or short name. | array<string> |
None | No |
attackCategory |
Match events in any of these attack categories, using ID or short name. | array<string> |
None | No |
signature |
Match events triggered by any of these security signatures. | array<string> |
None | No |
exclude |
Negate this attack criterion. | boolean |
false |
No |
required |
Require this criterion to match together with other criteria. | boolean |
true |
No |
request.endpoint[] Fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
countryCode |
Match endpoint country codes. | array<string> |
None | No |
endpointFieldStrategy |
Which endpoint side to search. Allowed values: source, destination, all. |
string |
all |
No |
ip |
Match endpoint IPs or CIDR networks. Supports IPv4, IPv6, and CIDR notation. | array<string> |
None | No |
minMaskBits |
Minimum CIDR prefix length to match. Useful to exclude broad subnets. | number |
None | No |
port |
Match endpoint ports. | array<number> |
None | No |
includeEndpointFlag |
Endpoint flags that must be present. The LLM can look up allowed values. | array<string> |
None | No |
excludeEndpointFlag |
Endpoint flags that must not be present. The LLM can look up allowed values. | array<string> |
None | No |
exclude |
Negate this endpoint criterion. | boolean |
false |
No |
required |
Require this endpoint criterion to match together with other criteria. | boolean |
false |
No |
request.timeFilter Fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
timeField |
Event time fields the range applies to. Allowed values: created, lastUpdated, firstAssessment, enginePersisted, firstEvent, lastEvent, published, all. |
array<string> |
["created"] |
No |
startTime |
Start of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as startOfDay - 1 day. |
string |
startOfDay |
No |
endTime |
End of the time range. Accepts epoch millis as string, ISO-8601 UTC, or relative expressions such as now. |
string |
now |
No |
timeMatchStrategy |
How to evaluate multiple timeField values. Allowed values: any, all. |
string |
any |
No |
request.property[] Fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
key |
Property key to match. | string |
None | Yes |
value |
Property values to match against the key. | array<string> |
None | Yes |
valueMatchStrategy |
How to combine multiple values. Allowed values: any, all. |
string |
any |
No |
valueSearchStrategy |
How to compare each value. Allowed values: tokenized, exact. |
string |
exact |
No |
exclude |
Negate this property criterion. | boolean |
false |
No |
required |
Require this property criterion to match together with other criteria. | boolean |
false |
No |
request.page Fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
limit |
Maximum number of items per page. Accepted range: 1 to 100. |
number |
25 |
No |
offset |
Number of items to skip before returning results. Must be 0 or greater. |
number |
0 |
No |
Usage Notes
- If event properties are needed in result rows, ask for properties explicitly so the LLM can enable
includeProperties. - Event search pagination supports
1to100items per page. - Descending sorting uses a
-prefix, for example-createdTimestamp. - Event identifiers use the format
timestamp/customerID/eventID.
Tool: generateArgusEventStatisticsQuery¶
Purpose
Generate an Argus event statistics query from event-statistics intent. The result is Event V2 statistics JSON that can be used to calculate counts, grouped buckets, and time-based timeline metrics.
Arguments
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
request |
Event statistics definition the LLM builds from the request. | object |
None | Yes |
request Fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
filter |
Filters that select which events are included before statistics are calculated. | object |
Default event filter with created-time range from startOfDay to now |
No |
statistics |
Statistics outputs to calculate. Must include groupBy, timeRangeMetrics, or both. |
object |
Empty object | Yes |
request.filter Fields¶
These filters use the same shape as event search filters, except there is no pagination, sorting, or includeProperties option.
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
associateCaseID |
Include events associated with any of these case IDs. 0 means events with no associated case. |
array<number> |
None | No |
attack |
Attack-related criteria. | array<object> |
None | No |
customer |
Include events for any customer ID or short name. | array<string> |
None | No |
domainName |
Include events with any of these domain names. | array<string> |
None | No |
endpoint |
Endpoint-related criteria. | array<object> |
None | No |
severity |
Include event severities. Allowed values: low, medium, high, critical. |
array<string> |
None | No |
eventIdentifier |
Include specific event identifiers. | array<string> |
None | No |
type |
Include event types. Allowed values: aggregated, raw. |
array<string> |
None | No |
timeFilter |
Time range selecting the event population for statistics. | object |
{ "timeField": ["created"], "startTime": "startOfDay", "endTime": "now", "timeMatchStrategy": "any" } |
No |
includeEventFlag |
Event flags that events must contain. The LLM can look up allowed values. | array<string> |
None | No |
excludeEventFlag |
Event flags that events must not contain. The LLM can look up allowed values. | array<string> |
None | No |
property |
Event property criteria. | array<object> |
None | No |
request.statistics Fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
groupBy |
Fields by which to group statistics. Order controls the aggregation hierarchy. | array<object> |
None | Required if timeRangeMetrics is omitted |
timeRangeMetrics |
Time-based timeline metrics to calculate over the filtered events. | array<object> |
None | Required if groupBy is omitted |
At least one of groupBy or timeRangeMetrics should be present for a meaningful statistics request.
request.statistics.groupBy[] Fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
field |
Event field to group by. Allowed values: signature, attackCategory, alarm, location, severity, sourceIP, destinationIP, protocol, customer, sourceCountry, destinationCountry, associatedCase. |
string |
None | Yes |
limit |
Maximum number of distinct buckets for this group field. | number |
25 |
No |
request.statistics.timeRangeMetrics[] Fields¶
| Field | Description | Type | Default | Required |
|---|---|---|---|---|
name |
Unique metric name for the timeline metric. If omitted, the generated query may create a name. | string |
Generated when omitted | No |
timestampField |
Event timestamp field to bucket. Allowed values: created, lastUpdated, firstAssessment, enginePersisted, firstEvent, lastEvent. |
string |
None | Yes |
resolution |
Timeline bucket size. Allowed values: minutes, hours, days, weeks, months, years. |
string |
None | No |
includeEmptyBuckets |
Whether empty time buckets should be included. | boolean |
None | No |
Usage Notes
- The statistics filter time range selects the events included in the calculation.
- Timeline metric start and end timestamps follow the filter time range.
- Grouping order matters. For example, grouping by
customerthenseveritycreates customer buckets with severity buckets inside each customer. - Event statistics do not support numeric summary metrics; use
groupByandtimeRangeMetrics. - Event statistics timeline fields are narrower than search time fields. For example,
publishedcan be used in search time filters but is not a valid timeline metric timestamp field.
Tool: listArgusEventFlags¶
Purpose
Return allowed event flag values for event search and event statistics filtering.
Arguments
This tool takes no arguments.
Current Returned Values
established, blocked, partiallyBlocked, snapshot, finalized, falsePositive, notAThreat, tuningCandidate, notified, notifiedUnpublished, notifiedDeleted, followup, partiallyNotified, identifiedThreat, threatCandidate, acknowledged, partiallyAcknowledged, severityAdjusted, commented, filtered, checked, incompleteDetails, aggregatedBaseEvent, remoteStorage, hasDetails, hasPayload, hasPcap, associatedToCaseByFilter, severityIncreasedByFilter, severityReducedByFilter, createdByAnalysisFilter, extendEventTtl, initialTuning, postAnalysis, partialSslTerminated, sslTerminated, autoReport, missingTimestamp, clockOutOfSync, dropAnalysis, escalatedByReputation, hasSample, storeEvent, storeAggregated, handledByAnalyst, slaViolation, payloadTruncated, hasStringPayload, reassessed, eventFromOtEnvironment, eventFromRestrictedItEnvironment, failure
Tool: listArgusEndpointFlags¶
Purpose
Return allowed endpoint flag values for endpoint filtering in event search and event statistics.
Arguments
This tool takes no arguments.
Current Returned Values
isCustomerNet, isPartialCustomerNet, customAggregation, isManagedBySoc
Tool: listArgusEventSearchSortBy¶
Purpose
Return allowed sortBy values for event search.
Arguments
This tool takes no arguments.
Current Returned Values
customerID, eventID, createdTimestamp, lastUpdatedTimestamp, firstEventTimestamp, lastEventTimestamp