ReliaQuest GreyMatter security operations platform provides unified visibility, automation, and response capabilities across an organization's security infrastructure. For more information refer to the ReliaQuest GreyMatter documentation.
Integration Method: API
Tables: Incident Finding (2005), Device Inventory Info (5001), Detection Finding (2004)
This integration supports the following events.
Event | Description |
|---|---|
Incidents | Retrieve incident records including security alerts, investigations, and incident lifecycle information. |
Assets | Retrieve asset inventory information including devices, IP addresses, operating systems, and security tool visibility. |
Detections | Retrieve detection rules and customer-specific detections with MITRE ATT&CK mapping. |
Prerequisites
The user should have access to ReliaQuest GreyMatter platform with API access privileges.
The user should be able to generate an API key with appropriate permissions.
The user should have access to the DataBee console.
Configuration Overview
Generate an API key in ReliaQuest GreyMatter.
Add the ReliaQuest GreyMatter data feed in the DataBee console with the below parameters:
DataBee Parameter
GreyMatter Parameter
API Key
x-api-key (API Key from GreyMatter)
Asset Types
Comma-separated asset type IDs (default: 1)
ReliaQuest GreyMatter Configuration
Genarating API Key
Navigate to GreyMatter > Settings > API Key Management.
Click the New API Key button in the top right corner.
Select an Expiration Date (default is 1 year) and then click the Create Key button.
The generated Key will be displayed. Copy the key for later use.
Note:
This key only appears once, so be sure to copy it carefully and keep it safe.
After closing the prompt, you will be redirected to the API Key Management screen, which shows the key expiration date, creation date, last query, and last usage time.
Refer to https://apidocs.myreliaquest.com/ for additional information.
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for the ReliaQuest GreyMatter and click it as shown below.
Click on the API Ingest option for the collection method.
Enter feed contact information, keep Entity Resolution checkbox checked if you want it else uncheck it and scroll down.
In the configuration section, confirm the following:
Token: Paste the X-API-KEY generated earlier.
Event Types: Preselected for all the event types that integration pulls.
Asset Type IDs: Enter the comma-separated asset type IDs to filter.
Click on the Submit button.
Troubleshooting Tips
API Connection Issues
Authentication Error: If you receive authentication errors during the Polling:
Verify that your API key is valid and not expired
GraphQL Query Errors: If GraphQL queries fail:
Check the error message in the DataBee logs for specific field or permission issues
Verify that your API key has access to the requested data types
Ensure the GraphQL query schema matches your GreyMatter version
Data Collection Issues
No Incidents Retrieved: If no incident data is being collected:
Verify that incidents exist in GreyMatter for the configured time window
Check the ingest time window configuration - ensure it covers a period with expected incidents
Review the `updatedAt` filter to ensure it's capturing the correct time range
No Assets Retrieved: If no asset data is being collected:
Verify that assets exist in GreyMatter with the configured asset types
Check the Asset Types configuration - ensure valid asset type IDs are specified
Default asset type is `1` - add more types if needed (e.g., `1,2,3`)
Assets are polled every 24 hours - wait for the next polling cycle
No Detections Retrieved: If no detection data is being collected:
Verify that customer detections exist in GreyMatter
Check the time range filter - detections are filtered by `createdAt`
Ensure the API key has permissions to read detection data
Rate Limiting
Rate Limit Exceeded: If you encounter rate limit errors:
The system automatically sleeps for 30 minutes and retries
GreyMatter allows 5,000 tokens per hour/user
The integration is configured for 48 requests/hour to stay within limits
Consider reducing the number of event types if rate limits are frequently hit
Monitor the DataBee logs for rate limit warnings
GraphQL Token Consumption: GraphQL queries consume tokens based on complexity:
Incidents queries consume more tokens due to nested fields (activity, metadata)
Assets queries are simpler and consume fewer tokens
Detections queries with MITRE mapping consume moderate tokens
Performance Issues
Slow Data Collection: If data collection is slow:
Verify network connectivity between DataBee and GreyMatter
Check if GreyMatter API is experiencing performance issues
Review the pagination size (default: 100 records) - do not increase to avoid rate limits
Monitor the GraphQL query response times in logs
Large Data Volumes: For organizations with large data volumes:
Assets are polled every 24 hours to reduce load
Incidents and Detections are polled every 30 minutes
Use Asset Types filter to reduce asset query results
Data Quality Issues
Missing Fields: If expected fields are missing in collected data:
GreyMatter may not have data for all fields in every record
Check the `unmapped` section in OCSF output for additional GreyMatter-specific fields
Verify the GraphQL query includes the required fields
Incorrect Data Mapping: If data appears incorrectly mapped:
Review the OCSF mapping details section below
Check the DataBee logs for mapping errors or warnings
Verify the data types in GreyMatter match expected formats (e.g., ISO 8601 timestamps)