RunReveal
Changelog

Release Notes: v2026.7.0

Upgrade note: Migrations run automatically on startup. Review the breaking changes and migration sections below before upgrading.

Highlights

  • New runreveal CLI. The runreveal CLI now brings an interactive agent chat TUI, better autocompletion, auth profiles with better login flows, and maintains backwards compatibility with detection sync and other manual workflows. Customers who have scripted against previous CLI should review the breaking changes below.
  • Seven new log sources. You can now ingest audit logs from Border0, Docker Hub, FleetDM, Hugging Face, Serval, Turbopuffer, and Wiz Runtime Sensor Events.
  • Sigma detection builder in the UI. Create and edit Sigma-based detections directly from the web interface without writing YAML by hand.
  • Destination health checks. RunReveal now allows for creating health checks for destinations and surfaces results in the UI so you can catch delivery problems before they impact your team.

Features

  • Sigma detection UI builder — Build and edit Sigma detections visually in the web interface without manually authoring YAML.
  • Interactive agent chat TUI — The new CLI includes a terminal-based interactive chat for working with RunReveal agents directly from the command line.
  • Terraform-style detection sync — The detection sync command now shows a plan-style diff of what will change before applying, making reviews safer.
  • VictorOps notification channel — Send alert notifications to VictorOps (Splunk On-Call) as a new notification channel type.
  • Resend email provider — Use Resend as the transactional email provider for notifications in BYOC deployments.
  • Linear issue priority from alert severity — Alert severity now automatically maps to Linear issue priority when creating tickets from notifications.
  • Per-detection investigation metrics — The metrics page now shows investigation and triage statistics broken down by individual detection.
  • Token usage views — Administrators can view AI chat token consumption across all workspace chats.
  • Agent skills catalog and management UI — Browse, create, edit, and delete agent skills from a dedicated management interface and built-in catalog.
  • Workspace-scoped agent task queue — Agent tasks are now scoped to workspaces, enabling better multi-tenant isolation.
  • System theme option — A new "System" theme preference follows the OS light/dark setting, with a live-updating adaptive favicon.
  • Saved query categories — Saved queries support a category field for better organization.
  • Source list and popover redesign — The sources page now includes a list view with a side popover for quick details.
  • Admin backfill management page — Administrators can manage ClickHouse data backfills with a progress bar and the ability to supply custom write credentials.
  • Managed SNS topic for S3 sources — S3 source configuration now surfaces the managed SNS topic ARN to simplify customer-side setup.
  • Direct Pub/Sub ingest for GCP Logs — A new gcp-queue ingest path lets you stream GCP logs directly via Pub/Sub without an intermediary.
  • RFC 5424 syslog support in reveald — The reveald log forwarder daemon now supports RFC 5424 formatted syslog input.
  • Source ingest form validation — S3, Webhook, GCS, Azure Blob, MinIO, S3FS, and External S3 ingest sub-forms now validate configuration before submission.
  • User expiration column — The workspace user list now shows each member's expiration date.
  • Snowflake poll improvements — Snowflake polling sources support a configurable batch limit (up to 10,000) and bound each poll to a one-hour time window for more predictable performance.
  • Reveald coerce processor — A new explicit coerce preprocessor replaces the old number-guessing heuristic in the KV parser.
  • UEBA actor hourly baseline — A new materialized view pre-aggregates hourly actor baselines for upcoming UEBA features, with a 550-day TTL.
  • Audit data on source endpoints — Source API responses now include audit metadata.
  • Configurable ServiceNow instance host — ServiceNow sources now accept a custom instance hostname.
  • GovSlack support — The Slack polling source can now target GovSlack environments.
  • Tenable fedcloud endpoint — The Tenable polling source supports the fedcloud API endpoint.
  • 1Password identifiable User-Agent — 1Password polling requests now send a descriptive User-Agent header.
  • Auto-suggested view columns raised to 100 — Custom views can now auto-suggest up to 100 columns, up from 30.
  • Explorer sidebar width persistence — The Explore sidebar remembers its width across sessions.
  • Chat context compaction — Long agent conversations are automatically compacted to stay within context windows, with pageable recall for large tool-call results.
  • Anthropic prompt caching — The system prompt is now prompt-cached, reducing latency and cost for Anthropic-backed chats.
  • API reference in docs — The external documentation site now includes a login-gated API Reference section.

New Integrations

SourceTypeDescription
Turbopufferobject storageTurbopuffer audit logs
Wiz Runtime Sensor Eventsobject storageEvents collected by Wiz Runtime Sensor
Border0pollingBorder0 audit action logs
Docker HubpollingDocker Hub audit logs
FleetDMpollingFleetDM activity audit logs
Hugging FacepollingHugging Face organization audit logs
ServalpollingServal access management audit logs

Bug Fixes

  • Notification channel loading — All notification channels now load correctly in selection UIs; consolidated duplicate list methods.
  • Wiz source compatibility — Updated Wiz sources for the v2 GraphQL API, preserved full rawLog, accepted Go-style timestamps, and included the audience parameter in Wiz Sensor Detections OAuth requests.
  • Chat theme bleed — Theme CSS is stripped from copied chat text so it no longer bleeds into pasted documents.
  • Chat generation truncation — Agent chat responses no longer truncate mid-generation; chats no longer get stuck in a "thinking" state.
  • S3 multipart errors — Resolved multipart upload errors on S3-based object storage ingest.
  • Webhook receiver throttling — High-volume webhook writes are now batched to avoid S3 SlowDown errors.
  • Object storage consumer is_active — The production webhook S3 consumer now correctly honors the is_active flag.
  • Detection sync fixes — Sigma YAML disabled field is properly synced when cloning; notification templates persist correctly during DaC sync; auto-triage settings no longer break sync.
  • Source secret validation — Source secrets are validated at creation time, preventing RRQ errors from invalid configuration.
  • Alert row state after triage — Alert rows now update in-place after running AI Triage or adding to an investigation.
  • Source error visibility — Sources with errors but no active ingest now show error counts on the source list page.
  • Source cache invalidation — The source-by-bucket cache is purged on any source config change, fixing stale routing.
  • API token last-used timestamp — API tokens now show the real last-used timestamp; tokens that have never been used are clearly indicated.
  • GitHub actor normalization — The GitHub source now correctly normalizes the actor to the initiator rather than the subject.
  • Cloudflare R2 queue ID — Hyphenated R2 queue IDs are no longer incorrectly parsed as invalid UUIDs.
  • Salesforce EventLog daily queries — Daily EventLog queries no longer incorrectly use the interval column.
  • Cloudflare Access request timestamps — Flexible time unmarshalling handles non-standard timestamps in cf-access-requests logs.
  • HashiCorp Vault blank lines — Blank lines in HashiCorp Vault audit logs are now tolerated without parse errors.
  • Custom view sourceType change — Changing a custom view's sourceType now correctly recreates the ClickHouse view.
  • Managed detection auto-triage — Auto-triage for managed detections is now gated behind a feature flag.
  • GCS destination validation — GCS destination serviceAccountJSON is validated at create/update time.
  • Investigation artifact collation — The investigation_artifacts.investigation_id column collation is aligned to "C" to match paginated queries.
  • Explorer horizontal scroll — The Explore page shows a horizontal scrollbar at narrow viewport widths.
  • CLI nil dereference — Fixed a nil pointer dereference when making unauthenticated CLI calls.
  • CLI pagination — Cursor and limit parameters are now correctly forwarded as query params for paginated GET endpoints.
  • Login page colors — Repaired login color tokens after the design-system refresh.
  • Badge text color — Corrected badge text color in the updated design language.
  • Audit event names — Cleaned up audit event names for chat endpoints.
  • Chat prompts pagination — Chat prompts are now set from paginated result values, fixing missing prompts.
  • Backfill default time range — The backfill default time range is now initialized in the API payload.
  • CH partitioner fixes — Missing migration progress is treated as zero; the container image now runs as a non-root user.
  • Source preconditions — String-scalar rawLog is now reachable via the text field in preconditions.
  • Agent task detection name — Agent task detection names are correctly resolved from task parameters.
  • Queue parallelism — Stream parallelism is now correctly wired through to the Kawa processor.
  • Notification email links — Agent links are included in email templates and appBaseURL propagation is fixed.
  • Byte-unit graph — The graph correctly shows byte units when no filtering is applied.

Breaking Changes

  • New CLI binary replaces the old one — Re-authenticating maybe required. The runreveal binary now ships a heavily updated CLI with a new profile system, better autocompletion, better command help output, and an embedded runreveal skill. Customers who scripted against the old CLI should test their automation. The new CLI includes the same core commands and was tested for compatibility (detection sync, MCP server, keyring secrets) but flags and output formats may differ. Run runreveal help to review updated usage, and read the docs for more details about the changes.

Maintenance

  • Refreshed UI design system: updated color tokens, Toggle, TextField, Dialogue Card, Dashboard sidebar, signup/login pages, and logo/favicon assets for Q2 2026.
  • Migrated UI primitive components to the @runreveal/ui shared package and added Storybook stories (icons, toasts, foundations).
  • Added Sentry error reporting for backend exceptions, destination errors, recording failures, and migration errors.
  • CI improvements: path filtering, CE image builds (Docker Hub), unified reveald release process, and Homebrew remediation workflow.
  • Refactored pipeline steps, chat code, and API client response generics for maintainability.
  • Expanded documentation: Federated Search guide, custom views, K8s setup, VPC flow log drop guidance, Workday/FleetDM/Wiz setup instructions, investigation notes, and IOC correlation.
  • Lazy-load CodeEditor and MarkdownEditor for faster agent-skills page loads.
  • Increased default timeout for async agents and expanded Anthropic context windows.
  • Removed unused route constants, old endpoints, and duplicate utilities.

Database Migrations

MigrationDatabaseDescription
destination_health_check_subscriptionsPostgreSQLAdd destination health-check subscription table
seed_destination_health_checksPostgreSQLSeed initial destination health-check records
destination_health_check_resultsPostgreSQLAdd destination health-check results table
destination_errors_pgPostgreSQLAdd destination errors table
collation-small-config-tablesPostgreSQLAlign collation on small config tables
collation-source-configsPostgreSQLAlign collation on source_configs
collation-workspacesPostgreSQLAlign collation on workspaces
collation-usersPostgreSQLAlign collation on users
collation-workspace-membersPostgreSQLAlign collation on workspace_members
collation-investigationsPostgreSQLAlign collation on investigations
collation-async-agent-tasksPostgreSQLAlign collation on async_agent_tasks
collation-chatsPostgreSQLAlign collation on chats
collation-async-queriesPostgreSQLAlign collation on async_queries
collation-notification-historyPostgreSQLAlign collation on notification_history
collation-managed-detectionsPostgreSQLAlign collation on managed_detections
collation-detection-configsPostgreSQLAlign collation on detection_configs
agent-skillsPostgreSQLAdd agent skills table
slackbot_tablesPostgreSQLAdd Slack bot connection and state tables
query-categoriesPostgreSQLAdd category column to saved queries
notification-history-channel-namePostgreSQLAdd channel name to notification history
communityedition_license_handlingPostgreSQLAdd Community Edition license tracking
workspace-token-nullable-last-usedPostgreSQLMake workspace token last-used timestamp nullable
fix_investigation_artifacts_investigation_id_collationPostgreSQLFix investigation_artifacts investigation_id collation
source_volumes_received_at_mvClickHouseAdd receivedAt-bucketed source volumes materialized view
wiz_runtime_viewClickHouseAdd Wiz Runtime Sensor Events view
user_login_locationsClickHouseAdd user login locations table
turbopuffer_audit_logs_viewClickHouseAdd Turbopuffer audit logs view
add_ueba_actor_hourlyClickHouseAdd UEBA actor hourly baseline materialized view
fleetdm_logs_viewClickHouseAdd FleetDM logs view
huggingface_logsClickHouseAdd Hugging Face audit logs view
ueba_actor_hourly_ttlClickHouseAdd 550-day TTL to ueba_actor_hourly
wiz_views_v2_api_updateClickHouseUpdate Wiz views for v2 API schema
serval_logsClickHouseAdd Serval audit logs view
border0_logsClickHouseAdd Border0 audit logs view

v2026.7.1

Upgrade note: This is a patch release. Migrations run automatically on startup.

Breaking Changes

No breaking changes in this patch.

Database Migrations

No database migrations in this patch.

Changes

  • ALB stickiness cookie forwarding — Fixed an issue where Application Load Balancer stickiness cookies were not being carried across API requests from the client, which could cause chat sessions to be routed improperly.

On this page