RocketCyber
Overview
RocketCyber (a Kaseya product) is a managed Security Operations Center (SOC) platform that ingests telemetry from agents, firewalls, and cloud apps (Microsoft 365, Defender, etc.) and surfaces incidents, suppressed events, and remediation guidance for MSPs.
The Bumblebee integration exposes the full RocketCyber Customer API catalogue through a single send_request tool — the agent chooses the endpoint (e.g. /v3/agents, /v3/incidents, /v3/events) and query parameters based on the request.
The public Customer API is read-only, so Bumblebee can list and retrieve data but cannot create or modify RocketCyber records. This integration is currently a research preview.
Prerequisites & Setup
Before setting up the RocketCyber integration, you need:
- A RocketCyber tenant
- Provider-level access (the Customer API token lives under Provider Settings)
- A Customer API token generated from the RocketCyber API tab
Generate a Customer API Token
- Sign in to your RocketCyber portal
- Open the organization switcher in the top-right corner and select Provider Settings
- Open the RocketCyber API tab
- Click Generate Key — the token appears in the Access token field
- Copy the value immediately
Vendor documentation:
- Token guide: help.rocketcyber.kaseya.com
- Token guide (Kaseya helpdesk): helpdesk.kaseya.com
Configure in Bumblebee
- Go to the Integrations page in Bumblebee
- Select RocketCyber
- Paste your API Key (the Customer API token)
- Save the configuration
- Run a test request (e.g. list accounts) from the validation card
API Limits
The RocketCyber Customer API does not publish concrete per-minute or per-day request quotas. Bumblebee backs off and retries automatically on 429 responses. List endpoints accept pageSize up to 1000 records per page.
Available Tools
Core (1 tool)
- send_request — Thin wrapper around the RocketCyber Customer API. Required: endpoint (str, e.g.
"/v3/agents"or"/v2/account/2/incidents"). Optional: method (str, default"GET"), params (object, query string), data (object, request body — reserved for future write endpoints).
The agent selects the RocketCyber endpoint and parameters based on the workflow. Supported v3 resources include:
| Resource | Endpoint | Notable filters |
|---|---|---|
| Account | /v3/account | accountId, details |
| Agents | /v3/agents | accountId, hostname, ip, os, connectivity, sort, page, pageSize |
| Apps | /v3/apps | accountId, status, sort, order |
| Defender | /v3/defender | accountId |
| Firewalls | /v3/firewalls | accountId, deviceId, ipAddress, macAddress, type |
| Office | /v3/office | accountId |
| Incidents | /v3/incidents | accountId, status, title, createdAt, publishedAt, sort |
| Events | /v3/events | accountId, appId, userId, deviceId, verdict, dates |
| Events summary | /v3/events/summary | accountId |
| Report API | /v3/reportApi | userId, fileType, itemType, accountId, dates, ... |
| Suppression rules | /v3/suppression/rules | accountId, ruleId, ruleName, status, modifiedBy, stopDate, updatedAt |
| Suppression rule | /v3/suppression/rule/{ruleId} | accountId, userId |
Legacy v2 per-account endpoints (/v2/account/{id}/agents, /v2/account/{id}/incidents, /v2/account/{id}/events, /v2/account/{id}/firewalls, /v2/account/{id}/apps, /v2/account/{id}/office, /v2/account/{id}/defender/health, /v2/account/{id}/defender/risk) are also exposed when a v3 equivalent is not yet available.
Example calls
# List accounts visible to this token
send_request(endpoint="/v3/account")
# All agents for a specific account
send_request(endpoint="/v3/agents", params={"accountId": 2})
# Open incidents, newest first
send_request(
endpoint="/v3/incidents",
params={
"accountId": 2,
"status": "open",
"sort": "createdAt:desc",
"pageSize": 50,
},
)
# Events in a date window
send_request(
endpoint="/v3/events",
params={"accountId": 2, "dates": "2024-01-01|2024-01-31"},
)