Skip to main content
Glama
AutomoxCommunity

Automox MCP Server

Audit Events OCSF

audit_events_ocsf
Read-onlyIdempotent

Query OCSF-formatted audit events from Automox by required date and optional event filters, with cursor-based pagination for large result sets.

Instructions

Query OCSF-formatted audit events from the Automox Audit Service v2. Filter by date (required) and event type name. The category_name filter is applied client-side against the event type_name prefix: the upstream events do NOT carry a category_name field, only an integer category_uid that maps 1:N across categories, so category filtering matches the type_name label prefix (authentication/entity_management/web_resource_activity are live-verified prefixes; account_change/user_access are spec-derived and unverified live). An unmappable category token leaves results unfiltered and sets metadata.applied_filters.category_name_matched=false (so an empty result is never mistaken for 'no activity'); metadata.events_before_filter reports the unfiltered count. category_uid/type_uid/class_uid/activity_id are raw OCSF taxonomy integers with no decode table in the upstream spec — prefer the human-readable sibling strings type_name and activity. Uses cursor-based pagination for large result sets. Event time is an ISO 8601 UTC string (converted from the upstream epoch-seconds value). The date parameter selects events by event date; the timezone of that date boundary is not stated by the upstream spec (unverified). severity/status labels follow the OCSF scales (severity: informational/low/medium/high/critical/fatal; status: success/failure/other) and are filled from severity_id/status_id when the upstream omits the string. Permissions: as of 2025-10-27 the upstream endpoint requires the API key to have BOTH organization:manage and users:read scopes; keys missing either scope return 403.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
dateYes
limitNo
cursorNo
type_nameNo
category_nameNo
output_formatNojson
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

The description extensively discloses behavioral traits beyond the annotations: client-side filtering, pagination, time conversion, permissions (specific scopes required), and edge-case handling (unmappable category results in unfiltered response). No contradiction with annotations (readOnlyHint, etc.).

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is lengthy but dense with information. It front-loads the main purpose and then systematically details parameters and behavioral nuances. While every sentence adds value, some sections (e.g., exact details on unmappable categories) could be condensed for brevity.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a tool with 6 parameters, no output schema, and complex behavior, the description covers nearly all aspects: filtering, pagination, permissions, and response metadata. It lacks a full enumeration of response fields, but it explains key structures like `applied_filters` and `events_before_filter`. Overall highly complete.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 0% schema description coverage, the description fully compensates by explaining each parameter's purpose, constraints (e.g., date required, category_name prefix matching), defaults, and behavior (cursor pagination, output_format). It adds significant meaning beyond the raw schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: querying OCSF-formatted audit events with filtering by date and event type. It specifies the source (Automox Audit Service v2). However, it does not explicitly distinguish from sibling tools like 'audit_trail_user_activity' or 'list_events', though the context of OCSF format is unique.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides detailed guidance on parameter usage, especially the client-side nature of category_name filtering and the behavior when tokens are unmappable. It also notes that human-readable strings are preferred over raw integer UIDs. However, it does not explicitly state when to use this tool versus alternatives (e.g., for non-OCSF audit events).

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/AutomoxCommunity/automox-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server