From kaseya-rocketcyber
Use this skill when working with RocketCyber security incidents - searching, triaging, investigating, and resolving incidents. Covers incident lifecycle, severity levels, verdicts (Malicious/Suspicious/Benign), status transitions, SOC analyst triage patterns, and cross-vendor PSA ticket correlation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/kaseya-rocketcyber:incidentsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Incidents are the core artifact in RocketCyber's managed SOC platform. When the SOC detects a potential threat -- through endpoint telemetry, log analysis, or behavioral detection -- it creates an incident. MSP technicians and SOC analysts use incidents to investigate threats, determine verdicts, and take remediation actions.
Incidents are the core artifact in RocketCyber's managed SOC platform. When the SOC detects a potential threat -- through endpoint telemetry, log analysis, or behavioral detection -- it creates an incident. MSP technicians and SOC analysts use incidents to investigate threats, determine verdicts, and take remediation actions.
The incident system supports:
┌─────────┐ Analyst ┌──────────────┐ Resolved ┌───────────┐
│ New │ ──────────> │ In Progress │ ────────────> │ Resolved │
└─────────┘ └──────────────┘ └───────────┘
│ │
│ │ Determined benign
│ ▼
│ ┌────────────────┐
└──────────────────> │ False Positive │
└────────────────┘
Verdicts represent the SOC analyst's assessment of the threat:
| Verdict | Description | Typical Action |
|---|---|---|
| Malicious | Confirmed threat requiring immediate remediation | Isolate endpoint, remove threat, notify customer |
| Suspicious | Potentially threatening; requires further investigation | Monitor closely, gather additional evidence |
| Benign | Activity is legitimate and not a threat | Close incident, update detection rules if needed |
| Severity | Description | SLA Target |
|---|---|---|
| Critical | Active breach or imminent threat to business operations | Immediate (15 min) |
| High | Confirmed malicious activity requiring urgent response | 1 hour |
| Medium | Suspicious activity that needs investigation | 4 hours |
| Low | Minor anomaly or informational finding | 8 hours |
| Field | Type | Description |
|---|---|---|
id | integer | Unique incident identifier |
title | string | Short description of the incident |
description | string | Detailed incident narrative from SOC |
status | string | Current status: New, In Progress, Resolved, False Positive |
severity | string | Severity level: Critical, High, Medium, Low |
verdict | string | Analyst verdict: Malicious, Suspicious, Benign |
accountId | integer | Customer account where the incident occurred |
accountName | string | Customer account name (verify against API docs) |
createdAt | datetime | When the incident was created |
updatedAt | datetime | When the incident was last updated |
resolvedAt | datetime | When the incident was resolved (if applicable) |
assignedTo | string | Analyst or resource assigned to the incident (verify against API docs) |
eventCount | integer | Number of related threat events (verify against API docs) |
affectedDevices | array | List of endpoints involved (verify against API docs) |
Note: Field names are inferred from the Celerium PowerShell wrapper and common SOC platform conventions. Verify exact field names against RocketCyber API responses.
# All incidents (most recent first)
curl -s "https://api-${ROCKETCYBER_REGION:-us}.rocketcyber.com/v3/incidents" \
-H "Authorization: Bearer ${ROCKETCYBER_API_KEY}"
Response (verify against API docs):
{
"data": [
{
"id": 98765,
"title": "Suspicious PowerShell execution detected",
"status": "New",
"severity": "High",
"verdict": "Suspicious",
"accountId": 12345,
"createdAt": "2026-02-22T14:30:00Z",
"updatedAt": "2026-02-22T14:30:00Z"
}
],
"totalCount": 245,
"page": 1,
"limit": 50
}
# Incidents for a specific customer
curl -s "https://api-us.rocketcyber.com/v3/incidents?accountId=12345" \
-H "Authorization: Bearer ${ROCKETCYBER_API_KEY}"
# Only open (New + In Progress) incidents
curl -s "https://api-us.rocketcyber.com/v3/incidents?status=open" \
-H "Authorization: Bearer ${ROCKETCYBER_API_KEY}"
# Only resolved incidents
curl -s "https://api-us.rocketcyber.com/v3/incidents?status=resolved" \
-H "Authorization: Bearer ${ROCKETCYBER_API_KEY}"
Note: The exact query parameter values for status filtering (e.g.,
status=openvsstatus=New) should be verified against the API documentation.
# Critical incidents only
curl -s "https://api-us.rocketcyber.com/v3/incidents?severity=critical" \
-H "Authorization: Bearer ${ROCKETCYBER_API_KEY}"
# Incidents from the last 7 days (verify date parameter format)
curl -s "https://api-us.rocketcyber.com/v3/incidents?startDate=2026-02-16T00:00:00Z&endDate=2026-02-23T00:00:00Z" \
-H "Authorization: Bearer ${ROCKETCYBER_API_KEY}"
# Single incident with full details
curl -s "https://api-us.rocketcyber.com/v3/incidents/98765" \
-H "Authorization: Bearer ${ROCKETCYBER_API_KEY}"
Response (verify against API docs):
{
"id": 98765,
"title": "Suspicious PowerShell execution detected",
"description": "Encoded PowerShell command detected on WORKSTATION-01. The command attempts to download and execute a remote script from an external IP address.",
"status": "In Progress",
"severity": "High",
"verdict": "Malicious",
"accountId": 12345,
"accountName": "Acme Corporation",
"createdAt": "2026-02-22T14:30:00Z",
"updatedAt": "2026-02-22T15:45:00Z",
"resolvedAt": null,
"eventCount": 3,
"affectedDevices": [
{
"hostname": "WORKSTATION-01",
"os": "Windows 11",
"lastSeen": "2026-02-22T15:30:00Z"
}
]
}
accountId for the target customerRocketCyber incidents often need to be correlated with PSA tickets for billing and tracking:
See also: shared incident correlation skills if available in
shared/skills/
| Scenario | HTTP Code | Resolution |
|---|---|---|
| Invalid API key | 401 | Verify key in Provider Settings > API |
| Account not found | 404 | Check account ID with /accounts endpoint |
| Incident not found | 404 | Verify incident ID; it may have been purged |
| Rate limited | 429 | Back off 30 seconds, retry with exponential backoff |
| Invalid filter value | 400 | Check query parameter values against API docs |
401 Unauthorized
Verify your RocketCyber credentials:
- ROCKETCYBER_API_KEY: Your API key from Provider Settings > API tab
- Ensure the key has not been revoked or regenerated
npx claudepluginhub p/drewrox2009-kaseya-rocketcyber-msp-claude-plugins-kaseya-rocketcyberGuides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Dispatches multiple subagents concurrently for independent tasks without shared state. Use when facing 2+ unrelated failures or subsystems that can be investigated in parallel.