Agents

Agents are AI-powered automations that run on a schedule to analyze your security data and deliver findings before you ask. Define what you want to know—suspicious logins, detection summaries, compliance snapshots—set a cron schedule, and let the agent handle the rest. Each run queries your logs, interprets the results, and sends a report to your inbox.

No dashboards to refresh, no queries to remember, no windows to miss.

Agent Overview — status, schedule, description, notification channels, tools, prompt, recent runs

What Are Agents?

Agents are automated AI-powered tasks that run on a schedule to analyze your RunReveal data. They combine:

AI capabilities (via providers and models configured per agent)
Scheduled execution (cron-style schedules)
Log/data analysis using your workspace tables and tools

Why Use Agents?

Security teams are drowning in data. Logs pile up faster than anyone can review them. Detections fire, but context is scattered. By the time you piece together what happened, the window to act has already closed.

Agents change that.

Instead of waiting for a human to ask the right question, agents ask it for you—every hour, every day, on whatever schedule you set. They query your logs, analyze patterns, and deliver findings directly to your inbox before your morning coffee.

Agent Use Cases:

Daily situational awareness. Start each day knowing what happened overnight—critical detections, anomalous logins, privilege escalations—without lifting a finger.
Proactive threat hunting. Surface risky actors, unusual data volumes, or policy violations automatically. Catch what static rules miss.
Continuous compliance. Generate weekly access reviews, audit summaries, or policy violation reports on a schedule that satisfies auditors.
Faster investigations. When an incident occurs, agents have already been watching. The context you need is waiting in your run history.

Agents don’t replace your team—they amplify it. Every scheduled run is one less manual query, one less dashboard refresh, one less thing to remember. The AI handles the repetitive analysis; your team focuses on decisions and response.

Set a prompt. Pick a schedule. Let the agent do the rest.

In the UI

Review Agents

Agents list — Agents, Run History, and Prompts tabs + New Agent button

In the sidebar, open Agents.
Use Search agents… to quickly find an agent by name.
Review the table columns:
- Status: whether the agent is currently active
- Name: agent display name
- Description: brief purpose of the agent
- Schedule: cron expression or a friendly schedule label (depending on how it was set)
- Next Run: next scheduled execution time
- Actions: open the overflow menu (…) for agent actions
Click an agent row to open the Agent Overview.

Agent Overview

Agent Overview — status, schedule, created/updated, notification channels, tools, prompt, recent runs

In the Agent Overview you can review:

Status and Schedule, plus Created At / Updated At
Description
Notification Channels (who will receive the output)
Available Tools (may show “All tools enabled”)
Prompt (the exact instruction the agent runs)
Recent Runs (with a Chat link for each run)
A shortcut to View All Run History

Tip: If an agent is not producing expected results, open a recent run’s Chat first—this is the fastest way to see what the agent actually queried and returned.

Run History and Prompts tabs

From the Agents page header you can also switch between:

Run History: view executions across agents (successes/errors, and open the associated chat)
Prompts: manage reusable prompt templates (if enabled in your workspace)

(These tabs are visible at the top of the Agents page in the current UI.)

Create New Agents

To create a new agent, click + New Agent on the Agents page.

The Create Agent page is structured in the following order.

1. Start from Template

Choose a prebuilt template or start from scratch. Templates pre-fill fields like the AI Prompt (and may pre-fill schedule depending on the template).

Create Agent — Start from Template

Template	What it does
Blank Agent	Start from scratch with an empty configuration. Use when you have a specific, custom use case in mind.
Alert Tuning	Analyze noisy or low-value detections and recommend tuning improvements to reduce alert fatigue.
Data Volume Anomaly Detection	Monitor log source volumes for unusual spikes or drops and surface anomalies that may indicate issues.
Data Saving Analysis	Identify high-volume, low-value logs that could be filtered or dropped to reduce storage costs.
Open Investigation Analysis	Review open investigations and generate status summaries, recommended next steps, or stale investigation alerts.

2. Basic Information

Fill in the fields that define what the agent does.

Basic Information — Display Name, Description, AI Prompt

Display Name: what appears in the Agents list and Agent Overview
Description: short explanation of purpose
AI Prompt: the full instruction sent to the model each run

Prompt writing guidance (practical):

Specify exactly what tables to use (and the key filters to apply).
Constrain time ranges and result sizes (use small LIMITs).
Tell the agent what format you want back (bullets, grouped breakdowns, etc.).

3. AI Configuration

Select the provider/model for this agent.

AI Configuration — model dropdown

Choose the model that balances quality vs. cost for the task.
If your workspace has a Default model, you can keep it or override per agent.

4. Available Tools

Select which tools the agent can call while running.

Available Tools — tool grid + Select All / Deselect All

Tools are enabled by default.
Use Deselect All and then enable only what’s required for least privilege.
Keep tool access narrow for “reporting-only” agents.

The following tools are available, listed in the order they appear in the app.

Data and logs

Tool	Description
LogsQueryV3	Run ClickHouse SQL queries against your log data. Use small `LIMIT` values (10–50) for exploration; filter by indexed columns (e.g. `receivedAt`). Check schema with GetTableSchema first.
ListTables	List all tables available for querying in the workspace.
GetTableSchema	Get the schema and indexes for a specific table (column names, types, primary key, data skipping indexes). Use before writing queries to use indexed columns.

Detections

Tool	Description
ListDetections	List all detections in the workspace (names, queries, schedules, metadata). Optional filters by severity, category, type, etc.
CreateDetection	Create a new SQL detection rule (query, schedule, severity, notifications, etc.). Requires user confirmation in interactive chat; scheduled agents can use with Skip Permissions if configured.
UpdateDetection	Update an existing detection. Requires user confirmation in interactive chat unless Skip Permissions is enabled.
DeleteDetection	Delete a detection rule. Requires user confirmation in interactive chat unless Skip Permissions is enabled.

Dashboards

Tool	Description
DashboardGraphList	List dashboard graphs in the workspace.
DashboardGraphGet	Get a single graph by ID.
DashboardGraphCreate	Create a new dashboard graph (query, chart type, axis columns, etc.). Chart types include barchart, linechart, piechart, globe, datatable, and others.
DashboardGraphUpdate	Update an existing graph.

Notifications and investigations

Tool	Description
NotificationList	List notification configs (channels) configured for the workspace.
NotificationSend	Send a notification to one or more channels. Supports template name or inline title/body; uses Handlebars and a notification type (e.g. `detection`, `data`) for context.
InvestigationList	List investigations in the workspace.
InvestigationGet	Get a single investigation by ID.
InvestigationUpdate	Update an investigation (e.g. field and value).
InvestigationClose	Close an investigation with a resolution.
AddInvestigationArtifact	Add an artifact (comment, type, meta) to an investigation.

Sources and external

Tool	Description
SourceList	List log sources in the workspace. Optional filter by source types.
MakeHTTPRequest	Make an HTTP request to an external URL (GET, POST, etc.). Read-only from a safety perspective (no mutating side effects on RunReveal). Useful for calling external APIs.

Threat intelligence (optional)

Tool	Description
GetVirusTotalReport	Get a threat intelligence report from VirusTotal for an IP, domain, or URL. Requires VirusTotal API key in workspace threat intel settings; otherwise the tool is not available.
GetCrowdStrikeReport	Get threat intelligence from CrowdStrike for an IP, domain, file hash, or URL (malicious confidence, threat actors, malware families, etc.). Requires CrowdStrike client ID and secret in workspace threat intel settings; otherwise the tool is not available.

Context management (interactive chat only)

These tools are available in Native AI Chat (and when viewing a run’s chat) to manage context across many tool calls. They are not used by scheduled agents.

Tool	Description
RecallResult	Retrieve the full data from a previous tool call in the conversation (e.g. a query result that was summarized).
ListStoredResults	List tool results available for recall in the current conversation.
GetScratchpad	Read the agent’s working notes for this conversation.
UpdateScratchpad	Update working notes (e.g. todo list, findings) for the conversation.

In the agent form, you can Select All or Deselect All tools, or pick specific tools. Restrict tools when you want an agent to only query data (read-only) or only perform a narrow set of actions.

5. Schedule

Set when the agent runs using cron format.

Schedule — Cron Schedule field

Cron Schedule format: minute hour day month weekday

Examples:

0 9 * * * — daily at 09:00
0 8 * * 1 — Mondays at 08:00
0 */6 * * * — every 6 hours

6. Notifications

Choose who receives the agent output by email.

Notifications — Email Notifications selector

Select one or more Email Notifications channels.
If none are selected, the workspace default email notification is used.

7. Settings

Finalize runtime behavior.

Settings — Enabled and Skip Permissions

Enabled: when on, the agent runs automatically on schedule
Skip Permissions: admin-only; use sparingly. Keep off unless the agent is trusted and intentionally allowed to run without permission checks.

8. Create the agent

At the bottom-right of the page, click Create Agent to save.

Now that you understand Agents, explore these related guides:

Native AI Chat - Interactive AI-powered investigations in RunReveal
Prompts - Create reusable prompt templates with arguments
Model Context Protocol - Connect external AI assistants to RunReveal
Detections - Create and manage detection rules
Notifications - Set up alerting and notification channels
Investigations - Manage and track security investigations

Prompts Dashboards & Graphs