Back to Nodes

RocketCyber

Last updated May 29, 2026

RocketCyber (Kaseya managed SOC) node for n8n — query incidents, agents, events, firewalls, Microsoft 365, Defender status, and accounts. AI-agent ready.

131 Weekly Downloads
131 Monthly Downloads

Included Nodes

RocketCyber

Description

n8n-nodes-rocketcyber

An n8n community node for RocketCyber — the Kaseya managed SOC / MDR platform. Query incidents, agents, events, firewall threats, Microsoft 365 and Defender security data, and your provider account hierarchy directly from your workflows.

The node is read-only (the RocketCyber v3 API exposes only GET endpoints) and is AI-agent ready (usableAsTool), so it can be wired straight into an AI Agent for SOC triage, reporting, and enrichment.

Installation

In n8n, go to Settings → Community Nodes → Install and enter:

n8n-nodes-rocketcyber

Or install from the command line in your n8n root:

npm install n8n-nodes-rocketcyber

Credentials

Create a RocketCyber API credential:

| Field | Description |
|——-|————-|
| Region | Your RocketCyber data region: US (api-us), EU (api-eu), or AU (api-au). |
| API Token | A provider API token. In the RocketCyber console go to Provider Settings → API and generate a token. |

The credential test calls GET /account, so an invalid token or wrong region fails immediately at save time.

Resources & operations

All operations are read-only.

| Resource | Operations | Endpoint |
|———-|———–|———-|
| Account | Get | /account |
| Agent | Get Many | /agents |
| Incident | Get Many | /incidents |
| Event | Get Many, Get Summary | /events, /events/summary |
| Firewall | Get Many | /firewalls |
| Microsoft 365 | Get Many | /office |
| App | Get Many | /apps |
| Microsoft Defender | Get | /defender |

Get Many operations support Return All (auto-paginate) or a Limit.

Filters

The RocketCyber API enforces a strict per-endpoint parameter allowlist, so the node only exposes filters the API actually accepts:

| Filter | Applies to | Values |
|——–|———–|——–|
| Account ID | every resource | An MSP customer account ID. Leave empty for provider-level data across all customers. |
| Status | Incident | open, resolved |
| Status | App | active, inactive |
| Verdict | Event | informational, suspicious, malicious |
| App | Event (Get Many) | Required. The event source — picked from a dropdown populated live from /apps, or supplied as an ID via an expression. |

> Events require an App. GET /events returns events for a single app source, so the App field is required for the Event → Get Many operation. Use Event → Get Summary for a count of events per app.

Use as an AI tool

This node sets usableAsTool: true. In an AI Agent, connect it as a tool and the model can call operations like “get many open incidents for account 52171” or “get the Defender summary” on its own. Because every endpoint is read-only, there is no risk of the model mutating SOC data.

Notes

  • Read-only: RocketCyber’s v3 API has no create/update/delete endpoints; this node mirrors that.
  • Pagination: agents, incidents, events, and firewalls are page-based; apps and office return their full collection in a single request; account, defender, and the event summary return a single object.
  • Rate limits: RocketCyber rate-limits the API; the node returns a clear “rate limited” error on 429 so you can add a Wait/retry as needed.

License

MIT © Tristen Rice