KB // RocketCyber SOC Operations Console

01

What Is This Tool

Purpose, use cases, audience

The RocketCyber SOC Operations Console is a single-file HTML dashboard designed to give MSP technicians and SOC staff an at-a-glance view of all security data flowing through the RocketCyber platform. It consumes the RocketCyber Customer API v3 via a server-side proxy and renders three simultaneous data streams — incidents, agents, and app events — in a fixed-height three-column layout that fills the entire screen with no scrolling.

It is designed to operate as a NOC wall display, a standby screen during standup meetings, or an operations tab open alongside your PSA and RMM. Because the underlying API is read-only, this console is purely observational — it surfaces what RocketCyber's SOC has detected and reported. Remediation and isolation happen in the RocketCyber portal or via your PSA/RMM tooling.

Key Characteristic

This console surfaces existing RocketCyber data. It does not create, modify, or delete anything. Every action in the interface that affects data routes through a separate PSA proxy or the RocketCyber portal directly — not through the RocketCyber API itself.

Primary Use Cases

NOC Wall DisplayMount on a monitor visible to the operations floor. The 30-second auto-refresh keeps incident and agent status current without manual interaction.

Standup / TriageOpen alongside ticketing during morning standup. The incident stream on the left and the full incident table in the center give a full picture of what the RocketCyber SOC is seeing across all accounts.

Client QBR PrepSwitch the account filter to a single client. The KPI tiles and app coverage cards give a ready-made talking point for event volume and SOC activity.

On-Call ReferenceThe Events view with verdict filtering lets an on-call engineer quickly scope to malicious or suspicious detections and jump to the RocketCyber portal for the full report.

02

Architecture

Proxy pattern, data flow, CORS constraint

The RocketCyber API enforces CORS headers that block direct browser calls. All requests must originate from a server-side proxy that injects the Bearer token before forwarding to the RocketCyber API. The console never holds or exposes the token — it only calls paths on your own domain.

Browser

Console UI

→/proxy/rocketcyber/v3/*

Your Server

Proxy Layer

→Authorization: Bearer {token}

RocketCyber

api-us.rocketcyber.com/v3

CORS Restriction

RocketCyber does not permit browser-direct API calls. If you attempt to call api-us.rocketcyber.com from the browser without a proxy, every request will fail with a CORS error. The proxy is not optional.

Data Flow Steps

01

Page Load — DOMContentLoaded

The console fires rcLoadAll() immediately on DOM ready. Five parallel Promise.allSettled() calls go to your proxy — account, agents, apps, incidents, events.
02

Proxy Receives & Forwards

Your server receives GET /proxy/rocketcyber/v3/agents?pageSize=1000, appends Authorization: Bearer {token}, and forwards to https://api-us.rocketcyber.com/v3/agents?pageSize=1000.
03

RocketCyber Returns JSON

Each endpoint returns a JSON object with a data array. The proxy passes the response body back to the browser with no modification.
04

Console Populates All Panels

rcRenderAll() runs once all five responses resolve. Rail counters animate, KPI tiles populate, the app coverage row renders, and the active view's table fills. The refresh bar then begins its 30-second countdown.
05

30-Second Auto-Refresh

When the refresh bar depletes, rcRefresh() re-runs all five GET calls. Any selected row is re-bound to the refreshed data and the detail panel updates in place.

03

Console Layout

Full-viewport three-column NOC layout

The console uses a fixed full-viewport layout — no page scroll. The entire screen is divided into a rail at the top, a KPI row directly below, and a three-column working area that fills the remainder. Every column scrolls internally.

RAIL — brand · account count · online/offline/isolated agents · open incidents · malicious events · clock · refresh

KPI ROW — 6 tiles: Total Agents · Offline · Open Incidents · Malicious Events · Informational · Accounts

Left — 258px

Endpoint Health
─────────────
View Toggle
(Incidents/Agents/Events)
─────────────
Filter Buttons
─────────────
Open Incident
Stream (scrollable)

Center — flex (fills remaining)

App Coverage Cards (one per monitored app)
─────────────
Table Header (columns vary by view)
─────────────
Data Table (scrollable) — Incidents / Agents / Events
─────────────
Action Bar — 4 buttons (read-only aware)

Right — 288px

Detail Panel
(scrollable)
─────────────
Shows selected row fields, API source endpoint, field enum reference, and read-only note

Viewport Requirement

The console requires a minimum viewport of approximately 1100px wide to render the three-column layout without compression. On smaller screens, columns may stack or overflow. It is designed for 1440px+ desktop displays or NOC monitors.

04

API v3 Overview

Base URI, authentication, rate limits, read-only nature

Base URI

api-us.rocketcyber.com/v3

North American tenants. No EU mirror documented.

Auth Method

Bearer Token

Injected server-side. Never exposed to browser.

HTTP Methods

GET Only

No POST, PUT, DELETE. Read-only API.

Authentication

RocketCyber API keys are generated in the RocketCyber portal under Provider Settings > RocketCyber API. The key is passed as a Bearer token in the Authorization header. It must never be embedded in the HTML file or exposed to the browser — your proxy layer holds it.

Required header on every request

Authorization: Bearer YOUR_ROCKETCYBER_API_KEY

Token Security

Do not put your Bearer token in the HTML file, in a JavaScript variable visible to the browser, or in localStorage. Keep it exclusively in your proxy server's environment variables or secrets manager. A leaked token gives full read access to all account data.

Pagination

All list endpoints support pageSize (max 1000) and page parameters. The console requests pageSize=1000 by default. For providers with more than 1000 agents or incidents, you will need to implement pagination in your proxy or use the allPages pattern documented in the API wrapper.

Large Environments

If your environment has more than 1000 agents or incidents, the console will only show the first 1000. The PowerShell wrapper's -allPages flag handles this for scripting scenarios. For the console, add a pagination loop to your proxy if needed.

05

Endpoint Reference

All 7 API endpoints called by this console — field names from official documentation

GET /v3/account Accounts list

accountIdintegerUnique identifier for the account. Used as a filter parameter in other endpoints.

namestringDisplay name of the account (client name).

pathstringHierarchical path within the provider's account tree (e.g. root/client-name).

typestringAccount type, typically customer for end client accounts.

statusstringAccount status, typically active.

GET /v3/agents?pageSize=1000 Agent list — all installed RocketCyber agents

idstringUnique agent identifier (UUID format).

accountIdintegerThe account this agent belongs to. Join to /v3/account for account name.

hostnamestringDevice hostname as reported by the agent.

ipstringIP address of the device at last check-in.

osstringOperating system string (e.g. Windows 10 Pro, Windows Server 2022).

versionstringRocketCyber agent version installed on the device.

connectivitystring Current connection status of the agent. Three allowed values:

online offline isolated

GET /v3/apps Monitored apps — one per security monitoring module

idintegerApp ID. Required as a parameter when calling /v3/events?appId={id}.

namestringDisplay name of the monitoring app (e.g. Windows Defender, Ransomware Detection).

statusstringApp status, typically active when monitoring is running.

versionstringVersion string of the monitoring app module.

GET /v3/incidents?pageSize=1000 SOC-confirmed incidents

idintegerIncident ID. Use as ?id={n} to retrieve a specific incident.

accountIdintegerAccount the incident belongs to.

titlestringShort title of the incident as written by the RocketCyber SOC analyst.

descriptionstringFull analyst narrative describing what was detected and why it was flagged.

statusstring Two allowed values only:

open resolved

createdAtISO 8601Timestamp when the incident was created by the SOC (UTC).

resolvedAtISO 8601Timestamp when the incident was resolved. null for open incidents.

remediationstringSOC analyst notes on what was done to resolve the incident. May be null on open incidents.

GET /v3/events?appId={n}&pageSize=1000 App events — requires appId parameter

appIdintegerThe app this event came from. Obtain app IDs from /v3/apps.

accountIdintegerAccount the event belongs to.

verdictstring SOC classification of the event. Three allowed values:

malicious suspicious informational

detailsstringDescription of the detected behavior.

datesISO 8601Timestamp of the event detection.

Additional Endpoints (health monitoring only)

Endpoint	Purpose	Used In Console
/v3/defender	Windows Defender telemetry per account	API health panel (status check only)
/v3/office	Microsoft 365 security telemetry	API health panel (status check only)
/v3/firewalls	Firewall log data from syslog integration	API health panel (status check only)

06

Field Value Enumerations

Exact allowed values per the API documentation — used by all filters and badges

Why This Matters

All filter buttons, badge CSS classes, color tokens, and demo data in this console use these exact string values. If you are extending or customizing the console, use only these values when filtering or comparing against API responses — any other value will not match.

agent.connectivity

Source endpoint: GET /v3/agents

Value	Meaning	CSS Class	Color Token
online	Agent is actively connected to RocketCyber cloud	`ib-online`	`--c-online` (#00e87a)
offline	Agent has lost connectivity (powered off, network failure, uninstalled)	`ib-offline`	`--c-offline` (#ff4444)
isolated	Agent is online but host has been network-isolated by SOC	`ib-isolated`	`--c-isolated` (#ffe600)

incident.status

Source endpoint: GET /v3/incidents

Value	Meaning	CSS Class	Color Token
open	Incident requires attention. RocketCyber SOC has flagged and not yet resolved.	`ib-open`	`--s-open` (#ff4444)
resolved	Incident has been resolved. Remediation notes may be populated.	`ib-resolved`	`--s-resolved` (#00e87a)

No "Investigating" Status

The RocketCyber API does not have an investigating, mitigated, or in_progress status. Status is binary: open or resolved. Any third-party integration or wrapper that exposes additional states is inferring them — they do not come from the API field directly.

event.verdict

Source endpoint: GET /v3/events?appId={n}

Value	Meaning	CSS Class	Color Token
malicious	RocketCyber SOC has classified this event as confirmed malicious activity. Immediate review warranted.	`ib-malicious`	`--v-malicious` (#ff4444)
suspicious	Activity is anomalous or potentially malicious but not confirmed. Investigate alongside other signals.	`ib-suspicious`	`--v-suspicious` (#ffe600)
informational	Event was logged for awareness or compliance purposes. No immediate action required.	`ib-informational`	`--v-informational` (#4a90d9)

07

Rail & KPI Tiles

Top navigation bar and six-tile metric strip

The rail is a fixed 48px bar that persists across the full width of the screen. It contains the brand name, six animated counter stats, the demo mode indicator, a live clock, and the manual Refresh button.

Rail Counters

All six counters animate from their previous value to the new value on each refresh using a cubic-ease animation. They update live from the API data and are the fastest way to assess SOC health at a glance.

Counter	API Source	Field / Filter	Color
Accounts	GET /v3/account	Count of returned account objects	Cyan
Online	GET /v3/agents	`connectivity === 'online'`	Green
Offline	GET /v3/agents	`connectivity === 'offline'`	Red
Isolated	GET /v3/agents	`connectivity === 'isolated'`	Yellow
Open Inc.	GET /v3/incidents	`status === 'open'`	Red
Malicious Ev.	GET /v3/events	`verdict === 'malicious'`	Red

KPI Row (below rail)

Six tiles render directly below the rail, each showing a computed value, a label, and a context line. They use the same API data as the rail counters but present additional context (e.g. "12 online" as context for the Total Agents tile).

08

Incidents View

Default view — SOC-confirmed incidents from GET /v3/incidents

The Incidents view is the default view when the console loads. The center table shows all incidents sorted by createdAt descending (newest first). The left sidebar shows the open incident stream filtered to status=open for quick triage.

Status Filter Buttons

Three buttons control the statusFilter state variable. The filter applies client-side to the cached API data — no re-fetch occurs when changing filters.

AllShows both open and resolved incidents. Default on load.

OpenFilters to status === 'open' only. Use this during active triage to see what needs attention.

ResolvedFilters to status === 'resolved' only. Useful for reviewing closed incidents and remediation notes for reporting.

Table Columns

Column	API Field	Notes
ID	incident.id	Integer. Displays as `#1100` format. Click the row to open the detail panel.
Title	incident.title	SOC analyst-written title. Truncated with ellipsis at cell width.
Account	incident.accountName	Derived from joining accountId to the accounts list.
Status	incident.status	Badge: open or resolved — exactly two values.
Created	incident.createdAt	Displayed as M/D HH:MM. Full ISO 8601 timestamp visible in detail panel.

Row Selection

Clicking any row sets it as RC.selected, re-renders the table to apply the .selected highlight class, and populates the right-hand detail panel with the full incident data including description, remediation notes, timestamps, account, and the API endpoint that sourced the data.

09

Agents View

All installed RocketCyber agents from GET /v3/agents

Switch to Agents using the view toggle in the left sidebar. The table shows all agents across all accounts. The connectivity filter buttons narrow the view to a specific state. Each row is left-bordered with the connectivity color for instant visual scanning.

Connectivity Filter Buttons

Maps to the connectivity field. Values are exactly online, offline, or isolated — no other values exist in this field per the API documentation.

AllShows all agents regardless of connectivity. Default when switching to Agents view.

OnlineActive agents — agent process running and connected to RocketCyber cloud.

OfflineAgents that have lost connectivity. Could be powered off, network failure, agent stopped, or uninstalled.

IsolatedHosts that have been network-isolated by the RocketCyber SOC. The agent is still communicating but the host's network access is severed.

Isolated vs Offline

isolated is an active state — the RocketCyber agent is still online and communicating, but the host has been intentionally cut off from the network as a containment action. offline means the agent itself has lost connectivity. These are operationally very different and should be triaged differently.

10

Events View

App detection events from GET /v3/events — one record per detection

The Events view shows all events from all monitored apps, sorted by detection timestamp ascending (most recent first in the stream). Up to 100 rows render at a time for performance. The verdict filter buttons allow rapid scoping to malicious or suspicious events only.

appId Required on Live Calls

The real /v3/events endpoint requires an appId parameter — it will not return results without one. In the console's production mode, you will need to call the events endpoint once per app ID obtained from /v3/apps and merge the results. The demo mode handles this transparently by using a single pre-merged dataset.

Verdict Filter

Three values from the API — no others exist. Filtering is client-side against cached data.

maliciousConfirmed malicious activity. The RocketCyber SOC has classified this detection as a real threat. Treat as an active security event.

suspiciousAnomalous or potentially malicious. Warrants investigation but not confirmed. Correlate with other signals.

informationalLogged for visibility, compliance, or audit trail purposes. No immediate action required but may be relevant context for other events.

11

Detail Panel

Right-hand panel — shows full API field data for the selected row

The detail panel populates when you click any row in the center table. It shows a different set of fields depending on which view is active. Every detail panel also shows the exact API endpoint that sourced the record and the allowed field values — so technicians always have the context they need without looking up the docs.

Incident Detail

Field Shown	API Field	Notes
Incident ID + Status	id, status	Shown as large metric card at top. Status badge color matches enum.
Title	title	Full title without truncation.
Account	accountName (derived), accountId	Both display name and numeric ID shown.
Created / Resolved	createdAt, resolvedAt	Full ISO 8601. resolvedAt omitted if null (open incident).
Description	description	Full SOC analyst narrative in a styled description block.
Remediation	remediation	Shown in green-tinted block if populated. Omitted if null.
API source	—	Shows the exact GET endpoint path. Contextual reminder that data is read-only.

Agent Detail

Shows agent ID, hostname, connectivity badge, accountName, accountId, IP address, OS, and agent version. The endpoint path shown is GET /v3/agents?id={agent-id}. A read-only note reminds that agent isolation is performed in the RocketCyber portal.

Event Detail

Shows verdict badge, app name, full detection detail text, event ID, app ID, accountName, accountId, and full ISO 8601 timestamp. The endpoint path shown includes the required appId parameter.

12

Action Bar

Four buttons at the bottom of the center column — all honestly scoped to read-only API

Critical Limitation — Read-Only API

The RocketCyber API has no write operations. There is no POST, PUT, or DELETE endpoint in the v3 API. This means no action in this console can isolate a host, update an incident's status, or trigger any remediation through the RocketCyber API. All four action buttons are designed with this constraint in mind.

Button	What It Does	What It Does NOT Do
🎫 Create Ticket	Pulls the selected incident's data from the cached GET response, formats it for your PSA, and POSTs to `/proxy/psa/tickets` — your own PSA proxy endpoint.	Does not call the RocketCyber API. Does not update incident status in RocketCyber.
📥 Export CSV	Serializes the current filtered dataset (whatever view and filter is active) into a CSV blob and triggers a browser download. Entirely client-side — no API call.	Does not export from RocketCyber's API directly. Data exported is whatever was last loaded from the 30-second refresh cycle.
🔗 Open in Portal	Opens `app.rocketcyber.com` in a new browser tab. For environments where the selected incident ID can be deep-linked, the URL can be extended to target the specific incident.	Does not auto-authenticate. User must be logged in to the portal separately.
↻ Refresh	Re-runs all five GET calls (`/v3/account`, `/v3/agents`, `/v3/apps`, `/v3/incidents`, `/v3/events`) via the proxy. Updates all panels and resets the 30-second countdown.	Does not push any data to RocketCyber. Read-only GET calls only.

Isolating a Host

Host isolation is performed by the RocketCyber SOC on your behalf, or directly in the RocketCyber portal at app.rocketcyber.com. There is no API endpoint to trigger isolation programmatically in v3. If you need automation around isolation, contact RocketCyber about webhook or integration options through their PSA connectors.

13

Local Test Package

Everything you need to run a local proxy and test against the real API — no Azure required

Download

The local test package contains the proxy server, test UI, and one-click launchers for Windows and Mac/Linux. Unzip, add your token to .env, and double-click START.bat. ↓ Download from SharePoint

What's in the Package

File	Purpose
proxy.js	The Node.js proxy server. Reads your token from `.env`, forwards requests to `api-us.rocketcyber.com` with the Bearer header injected.
test-ui.html	Browser-based test interface. Hit every API endpoint, view syntax-highlighted JSON responses, download results. Served by the proxy at `localhost:3001/test-ui.html`.
START.bat	Windows double-click launcher. Checks for Node.js, installs npm deps on first run, validates the token, then starts the proxy.
START.sh	Mac / Linux equivalent of START.bat.
.env	Token configuration file. Paste your RocketCyber API token here. Never committed — listed in `.gitignore`.
package.json	npm manifest. Dependencies: `express`, `http-proxy-middleware`, `cors`.

First-Time Setup (Windows)

01

Install Node.js if not already installed

Download the LTS version from nodejs.org. Run the installer with defaults. You only need to do this once per machine.
02

Unzip the package and open the folder

Extract rc-proxy-local-test.zip to any location — your Desktop or Documents folder is fine.
03

Open .env and paste your token

Open the .env file in Notepad. Replace paste-your-token-here with your actual RocketCyber API token. Save and close. See Section 15 for how to find your token.
04

Double-click START.bat

A terminal window opens. On first run it installs the three npm packages (takes ~15 seconds). Then it starts the proxy and shows the test UI URL.
05

Open the test UI

Navigate to http://localhost:3001/test-ui.html in your browser. The proxy health indicator at the top right will show green. Click any endpoint in the sidebar and hit Send.

Using the Test UI

Check Proxy HealthHits localhost:3001/health and confirms the proxy is running and the token is loaded. Green dot = ready.

Run All EndpointsFires a request to every endpoint sequentially (pageSize=5 for speed) and shows pass/fail for each. Useful to confirm your token has access to all data types before wiring the console.

Events endpointRequires an appId parameter — the API rejects the request without it. First run Account → get account IDs, then Apps → get app IDs, then set the App ID param before testing Events.

Download JSONAfter any successful response, a Download JSON button appears in the response header. Use this to capture real API response shapes for building demo data or integration tests.

Keep the terminal window open

The proxy runs as long as the terminal window is open. Closing it stops the proxy. The test UI will show a red "Proxy not reachable" status if you try to use it after the proxy has been stopped.

14

Proxy Setup

Server-side proxy required — CORS prevents direct browser calls

The proxy's only job is to receive requests from the console, add the Bearer token header, and forward to RocketCyber. It should not log response bodies (which contain security event data) and should enforce origin restriction so only your console's domain can call it.

Node.js / Express Example

proxy-server.js — minimal RocketCyber proxy

const express = require('express');
const { createProxyMiddleware } = require('http-proxy-middleware');
const app = express();

// Bearer token stored in environment — never hardcoded
const RC_TOKEN = process.env.ROCKETCYBER_API_KEY;

app.use('/proxy/rocketcyber/v3', createProxyMiddleware({
  target: 'https://api-us.rocketcyber.com',
  changeOrigin: true,
  pathRewrite: { '^/proxy/rocketcyber/v3': '/v3' },
  onProxyReq(proxyReq) {
    proxyReq.setHeader('Authorization', `Bearer ${RC_TOKEN}`);
    proxyReq.setHeader('Accept', 'application/json');
  }
}));

app.listen(3001);

Nginx Example

nginx location block

location /proxy/rocketcyber/v3/ {
    proxy_pass         https://api-us.rocketcyber.com/v3/;
    proxy_set_header   Authorization "Bearer $ROCKETCYBER_API_KEY";
    proxy_set_header   Accept "application/json";
    proxy_hide_header  X-Powered-By;
}

Origin Restriction

Add an origin check to your proxy so only requests coming from your console's domain are forwarded. Without this, anyone who discovers your proxy URL can use it to read all your RocketCyber data. Use CORS middleware or a referrer check in your proxy server.

15

Bearer Token

Where to find it, how to store it, rotation guidance

Finding Your Token

01

Log in to the RocketCyber Portal

Navigate to app.rocketcyber.com and sign in with your Provider account credentials.
02

Open Provider Settings

Click your account name or the settings gear in the top navigation to reach Provider Settings.
03

Navigate to RocketCyber API

Find the "RocketCyber API" section within Provider Settings. The API key is displayed here. Full instructions: helpdesk.kaseya.com/hc/en-gb/articles/9239984991505
04

Copy and Store Securely

Store in your proxy server's environment variable as ROCKETCYBER_API_KEY. Do not store in source control, HTML files, or client-side JavaScript.

Token Scope

The API token provides read access to all accounts accessible by your Provider account. This includes all client accounts under your management. Treat it with the same sensitivity as a master password.

16

Go-Live Checklist

Steps to activate the console against the real RocketCyber API

01

Generate API token in RocketCyber portal

Provider Settings > RocketCyber API. Copy and store in your secrets manager or environment variable.
02

Deploy your proxy server

Use the Node.js or Nginx pattern from Section 13. Confirm it responds to GET /proxy/rocketcyber/v3/account with a 200 and returns your accounts array.
03

Uncomment the production fetch block

In the console's <script> block, locate the rcFetch() function. Uncomment the return fetch(endpoint, ...) block and remove the demo fallback return new Promise(...) block.
04

Update API_BASE constant

If your proxy path differs from /proxy/rocketcyber/v3, update the const API_BASE constant at the top of the script block.
05

Verify all 7 endpoint health indicators go green

Open the console. In the left sidebar under "API Endpoint Health", all seven rows should show green OK status. If any show ERR, check your proxy configuration and token validity.
06

Remove the Demo Mode pill from the rail

In the HTML, find <span class="demo-pill"> in the rail and remove it. This prevents confusing live and demo data.
07

Set up origin restriction on the proxy

Restrict proxy access to only requests originating from your console's domain. Add a CORS origin policy or HTTP Referer check.

16

PSA Integration

Wiring the Create Ticket button to ConnectWise or Autotask

The Create Ticket action in the console is wired to call /proxy/psa/tickets on your server. This is your own PSA proxy endpoint — not a RocketCyber API endpoint. You build this endpoint to translate a RocketCyber incident payload into whatever your PSA expects.

Payload Sent by Console

The console sends the full incident object as the request body. The relevant fields for ticket creation are:

idRocketCyber incident ID. Use as external ticket reference.

titleSOC-written incident title. Map to ticket summary.

descriptionFull SOC narrative. Map to ticket description body.

accountId / accountNameMap to your PSA company ID. You will need a lookup table to translate RocketCyber accountId to your PSA company record.

createdAtUse as ticket date created or first response timestamp.

statusUse to set initial ticket status: open = New, resolved = Closed.

Native PSA Integration

RocketCyber has a native integration with both ConnectWise Manage and Autotask that automatically creates tickets when the SOC opens an incident. If you have that integration configured, the Create Ticket button is most useful for manual escalation or follow-up tickets that fall outside the automatic flow. Check with your RocketCyber account team about the native PSA connector configuration.

ConnectWise Manage — Minimal Proxy Example

POST /proxy/psa/tickets — ConnectWise Manage

app.post('/proxy/psa/tickets', async (req, res) => {
  const inc = req.body;               // RocketCyber incident object
  const ticket = {
    summary:    inc.title,
    initialDescription: inc.description,
    company:   { id: mapToCompanyId(inc.accountId) },
    board:     { name: 'Security' },
    status:    { name: inc.status === 'open' ? 'New' : 'Closed' },
    externalXRef: `RC-${inc.id}`
  };
  const r = await fetch('https://api-na.myconnectwise.net/v4_6_release/apis/3.0/service/tickets', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'Authorization': `Basic ${CW_AUTH_TOKEN}`,
      'clientId': CW_CLIENT_ID
    },
    body: JSON.stringify(ticket)
  });
  res.json(await r.json());
});

17

Demo Mode

How demo data is structured, how to identify it, how to switch to live

When the proxy is unavailable or returns a non-200 response, the console falls back to demo data automatically. The demo data is embedded in the script block as DEMO_ACCOUNTS, DEMO_AGENTS, DEMO_APPS, DEMO_INCIDENTS, and DEMO_EVENTS. All field names in the demo objects match the real API schema exactly — the structures are identical, only the values are synthetic.

Demo Data Characteristics

10 accountsNamed fictional companies with realistic accountId values starting at 10001.

20 agentsMix of Windows, macOS, Linux. Distribution: ~70% online, ~15% offline, ~15% isolated.

8 appsNamed after real RocketCyber monitoring modules (Windows Defender, Ransomware Detection, etc.).

12 incidents7 open, 5 resolved. Titles and descriptions written to resemble real SOC analyst language.

80 eventsDistributed across all 8 apps. Verdict mix: ~25% malicious, ~37% suspicious, ~38% informational.

Switching to Live

In the rcFetch() function, uncomment the return fetch(endpoint, ...) block (the production path) and delete the return new Promise(...) block (the demo fallback). That is the only code change required — all rendering functions work identically with real API data.

18

FAQ & Troubleshooting

Common issues and how to resolve them

Console shows demo data even after configuring proxy

The rcFetch() function still has the demo fallback active. You must uncomment the production return fetch() block and remove the demo return new Promise() block manually. The fallback activates on any non-200 or error response, so it can mask a proxy failure.

All API health dots show ERR

The proxy server is not reachable, the ROCKETCYBER_API_KEY environment variable is not set, or the proxy path doesn't match /proxy/rocketcyber/v3. Test the proxy directly: curl http://your-server/proxy/rocketcyber/v3/account and verify you get a JSON response.

Events view is empty / shows no data

The /v3/events endpoint requires an appId parameter. In demo mode this is handled automatically. In production mode, your proxy or fetch logic must call events once per app ID obtained from /v3/apps. The console's default fetch URL /v3/events?pageSize=1000 without an appId will return no results from the real API.

I see more than two incident statuses in my PSA data

The RocketCyber API only exposes open and resolved. Additional status values you may see in ConnectWise or Autotask (like "In Progress" or "Pending Client") are set by your technicians in the PSA after the ticket is created — they do not come from the RocketCyber API field.

How do I filter events to a single account?

Add &accountId={n} to the events endpoint call. The accountId parameter is supported on /v3/events per the API documentation. This is useful if you want to scope the console to a single client during a QBR or incident review.

The layout looks compressed on my screen

The console is designed for 1440px+ width. Below approximately 1100px, the three-column layout starts to compress. Set your browser zoom to 90% or 80% on smaller monitors. The layout does not currently have responsive breakpoints for mobile or tablet.

How do I add a per-client filter to scope the whole console?

Add an accountId dropdown to the rail or left sidebar, store the selected value in RC.accountFilter, and apply a .filter(x => !RC.accountFilter || x.accountId === RC.accountFilter) at the start of each render function. All endpoint calls support ?accountId={n} as a server-side filter as well.