Changelog
Release Notes: v2026.7.0
Upgrade note: Migrations run automatically on startup. Review the breaking changes and migration sections below before upgrading.
Highlights
- New runreveal CLI. The
runrevealCLI now brings an interactive agent chat TUI, better autocompletion, auth profiles with better login flows, and maintains backwards compatibility with detection sync and other manual workflows. Customers who have scripted against previous CLI should review the breaking changes below. - Seven new log sources. You can now ingest audit logs from Border0, Docker Hub, FleetDM, Hugging Face, Serval, Turbopuffer, and Wiz Runtime Sensor Events.
- Sigma detection builder in the UI. Create and edit Sigma-based detections directly from the web interface without writing YAML by hand.
- Destination health checks. RunReveal now allows for creating health checks for destinations and surfaces results in the UI so you can catch delivery problems before they impact your team.
Features
- Sigma detection UI builder — Build and edit Sigma detections visually in the web interface without manually authoring YAML.
- Interactive agent chat TUI — The new CLI includes a terminal-based interactive chat for working with RunReveal agents directly from the command line.
- Terraform-style detection sync — The
detection synccommand now shows a plan-style diff of what will change before applying, making reviews safer. - VictorOps notification channel — Send alert notifications to VictorOps (Splunk On-Call) as a new notification channel type.
- Resend email provider — Use Resend as the transactional email provider for notifications in BYOC deployments.
- Linear issue priority from alert severity — Alert severity now automatically maps to Linear issue priority when creating tickets from notifications.
- Per-detection investigation metrics — The metrics page now shows investigation and triage statistics broken down by individual detection.
- Token usage views — Administrators can view AI chat token consumption across all workspace chats.
- Agent skills catalog and management UI — Browse, create, edit, and delete agent skills from a dedicated management interface and built-in catalog.
- Workspace-scoped agent task queue — Agent tasks are now scoped to workspaces, enabling better multi-tenant isolation.
- System theme option — A new "System" theme preference follows the OS light/dark setting, with a live-updating adaptive favicon.
- Saved query categories — Saved queries support a category field for better organization.
- Source list and popover redesign — The sources page now includes a list view with a side popover for quick details.
- Admin backfill management page — Administrators can manage ClickHouse data backfills with a progress bar and the ability to supply custom write credentials.
- Managed SNS topic for S3 sources — S3 source configuration now surfaces the managed SNS topic ARN to simplify customer-side setup.
- Direct Pub/Sub ingest for GCP Logs — A new
gcp-queueingest path lets you stream GCP logs directly via Pub/Sub without an intermediary. - RFC 5424 syslog support in reveald — The reveald log forwarder daemon now supports RFC 5424 formatted syslog input.
- Source ingest form validation — S3, Webhook, GCS, Azure Blob, MinIO, S3FS, and External S3 ingest sub-forms now validate configuration before submission.
- User expiration column — The workspace user list now shows each member's expiration date.
- Snowflake poll improvements — Snowflake polling sources support a configurable batch limit (up to 10,000) and bound each poll to a one-hour time window for more predictable performance.
- Reveald coerce processor — A new explicit
coercepreprocessor replaces the old number-guessing heuristic in the KV parser. - UEBA actor hourly baseline — A new materialized view pre-aggregates hourly actor baselines for upcoming UEBA features, with a 550-day TTL.
- Audit data on source endpoints — Source API responses now include audit metadata.
- Configurable ServiceNow instance host — ServiceNow sources now accept a custom instance hostname.
- GovSlack support — The Slack polling source can now target GovSlack environments.
- Tenable fedcloud endpoint — The Tenable polling source supports the
fedcloudAPI endpoint. - 1Password identifiable User-Agent — 1Password polling requests now send a descriptive User-Agent header.
- Auto-suggested view columns raised to 100 — Custom views can now auto-suggest up to 100 columns, up from 30.
- Explorer sidebar width persistence — The Explore sidebar remembers its width across sessions.
- Chat context compaction — Long agent conversations are automatically compacted to stay within context windows, with pageable recall for large tool-call results.
- Anthropic prompt caching — The system prompt is now prompt-cached, reducing latency and cost for Anthropic-backed chats.
- API reference in docs — The external documentation site now includes a login-gated API Reference section.
New Integrations
| Source | Type | Description |
|---|---|---|
| Turbopuffer | object storage | Turbopuffer audit logs |
| Wiz Runtime Sensor Events | object storage | Events collected by Wiz Runtime Sensor |
| Border0 | polling | Border0 audit action logs |
| Docker Hub | polling | Docker Hub audit logs |
| FleetDM | polling | FleetDM activity audit logs |
| Hugging Face | polling | Hugging Face organization audit logs |
| Serval | polling | Serval access management audit logs |
Bug Fixes
- Notification channel loading — All notification channels now load correctly in selection UIs; consolidated duplicate list methods.
- Wiz source compatibility — Updated Wiz sources for the v2 GraphQL API, preserved full rawLog, accepted Go-style timestamps, and included the audience parameter in Wiz Sensor Detections OAuth requests.
- Chat theme bleed — Theme CSS is stripped from copied chat text so it no longer bleeds into pasted documents.
- Chat generation truncation — Agent chat responses no longer truncate mid-generation; chats no longer get stuck in a "thinking" state.
- S3 multipart errors — Resolved multipart upload errors on S3-based object storage ingest.
- Webhook receiver throttling — High-volume webhook writes are now batched to avoid S3 SlowDown errors.
- Object storage consumer is_active — The production webhook S3 consumer now correctly honors the
is_activeflag. - Detection sync fixes — Sigma YAML
disabledfield is properly synced when cloning; notification templates persist correctly during DaC sync; auto-triage settings no longer break sync. - Source secret validation — Source secrets are validated at creation time, preventing RRQ errors from invalid configuration.
- Alert row state after triage — Alert rows now update in-place after running AI Triage or adding to an investigation.
- Source error visibility — Sources with errors but no active ingest now show error counts on the source list page.
- Source cache invalidation — The source-by-bucket cache is purged on any source config change, fixing stale routing.
- API token last-used timestamp — API tokens now show the real last-used timestamp; tokens that have never been used are clearly indicated.
- GitHub actor normalization — The GitHub source now correctly normalizes the actor to the initiator rather than the subject.
- Cloudflare R2 queue ID — Hyphenated R2 queue IDs are no longer incorrectly parsed as invalid UUIDs.
- Salesforce EventLog daily queries — Daily EventLog queries no longer incorrectly use the interval column.
- Cloudflare Access request timestamps — Flexible time unmarshalling handles non-standard timestamps in
cf-access-requestslogs. - HashiCorp Vault blank lines — Blank lines in HashiCorp Vault audit logs are now tolerated without parse errors.
- Custom view sourceType change — Changing a custom view's sourceType now correctly recreates the ClickHouse view.
- Managed detection auto-triage — Auto-triage for managed detections is now gated behind a feature flag.
- GCS destination validation — GCS destination
serviceAccountJSONis validated at create/update time. - Investigation artifact collation — The
investigation_artifacts.investigation_idcolumn collation is aligned to"C"to match paginated queries. - Explorer horizontal scroll — The Explore page shows a horizontal scrollbar at narrow viewport widths.
- CLI nil dereference — Fixed a nil pointer dereference when making unauthenticated CLI calls.
- CLI pagination — Cursor and limit parameters are now correctly forwarded as query params for paginated GET endpoints.
- Login page colors — Repaired login color tokens after the design-system refresh.
- Badge text color — Corrected badge text color in the updated design language.
- Audit event names — Cleaned up audit event names for chat endpoints.
- Chat prompts pagination — Chat prompts are now set from paginated result values, fixing missing prompts.
- Backfill default time range — The backfill default time range is now initialized in the API payload.
- CH partitioner fixes — Missing migration progress is treated as zero; the container image now runs as a non-root user.
- Source preconditions — String-scalar rawLog is now reachable via the
textfield in preconditions. - Agent task detection name — Agent task detection names are correctly resolved from task parameters.
- Queue parallelism — Stream parallelism is now correctly wired through to the Kawa processor.
- Notification email links — Agent links are included in email templates and appBaseURL propagation is fixed.
- Byte-unit graph — The graph correctly shows byte units when no filtering is applied.
Breaking Changes
- New CLI binary replaces the old one — Re-authenticating maybe required. The
runrevealbinary now ships a heavily updated CLI with a new profile system, better autocompletion, better command help output, and an embedded runreveal skill. Customers who scripted against the old CLI should test their automation. The new CLI includes the same core commands and was tested for compatibility (detection sync, MCP server, keyring secrets) but flags and output formats may differ. Runrunreveal helpto review updated usage, and read the docs for more details about the changes.
Maintenance
- Refreshed UI design system: updated color tokens, Toggle, TextField, Dialogue Card, Dashboard sidebar, signup/login pages, and logo/favicon assets for Q2 2026.
- Migrated UI primitive components to the
@runreveal/uishared package and added Storybook stories (icons, toasts, foundations). - Added Sentry error reporting for backend exceptions, destination errors, recording failures, and migration errors.
- CI improvements: path filtering, CE image builds (Docker Hub), unified reveald release process, and Homebrew remediation workflow.
- Refactored pipeline steps, chat code, and API client response generics for maintainability.
- Expanded documentation: Federated Search guide, custom views, K8s setup, VPC flow log drop guidance, Workday/FleetDM/Wiz setup instructions, investigation notes, and IOC correlation.
- Lazy-load CodeEditor and MarkdownEditor for faster agent-skills page loads.
- Increased default timeout for async agents and expanded Anthropic context windows.
- Removed unused route constants, old endpoints, and duplicate utilities.
Database Migrations
| Migration | Database | Description |
|---|---|---|
destination_health_check_subscriptions | PostgreSQL | Add destination health-check subscription table |
seed_destination_health_checks | PostgreSQL | Seed initial destination health-check records |
destination_health_check_results | PostgreSQL | Add destination health-check results table |
destination_errors_pg | PostgreSQL | Add destination errors table |
collation-small-config-tables | PostgreSQL | Align collation on small config tables |
collation-source-configs | PostgreSQL | Align collation on source_configs |
collation-workspaces | PostgreSQL | Align collation on workspaces |
collation-users | PostgreSQL | Align collation on users |
collation-workspace-members | PostgreSQL | Align collation on workspace_members |
collation-investigations | PostgreSQL | Align collation on investigations |
collation-async-agent-tasks | PostgreSQL | Align collation on async_agent_tasks |
collation-chats | PostgreSQL | Align collation on chats |
collation-async-queries | PostgreSQL | Align collation on async_queries |
collation-notification-history | PostgreSQL | Align collation on notification_history |
collation-managed-detections | PostgreSQL | Align collation on managed_detections |
collation-detection-configs | PostgreSQL | Align collation on detection_configs |
agent-skills | PostgreSQL | Add agent skills table |
slackbot_tables | PostgreSQL | Add Slack bot connection and state tables |
query-categories | PostgreSQL | Add category column to saved queries |
notification-history-channel-name | PostgreSQL | Add channel name to notification history |
communityedition_license_handling | PostgreSQL | Add Community Edition license tracking |
workspace-token-nullable-last-used | PostgreSQL | Make workspace token last-used timestamp nullable |
fix_investigation_artifacts_investigation_id_collation | PostgreSQL | Fix investigation_artifacts investigation_id collation |
source_volumes_received_at_mv | ClickHouse | Add receivedAt-bucketed source volumes materialized view |
wiz_runtime_view | ClickHouse | Add Wiz Runtime Sensor Events view |
user_login_locations | ClickHouse | Add user login locations table |
turbopuffer_audit_logs_view | ClickHouse | Add Turbopuffer audit logs view |
add_ueba_actor_hourly | ClickHouse | Add UEBA actor hourly baseline materialized view |
fleetdm_logs_view | ClickHouse | Add FleetDM logs view |
huggingface_logs | ClickHouse | Add Hugging Face audit logs view |
ueba_actor_hourly_ttl | ClickHouse | Add 550-day TTL to ueba_actor_hourly |
wiz_views_v2_api_update | ClickHouse | Update Wiz views for v2 API schema |
serval_logs | ClickHouse | Add Serval audit logs view |
border0_logs | ClickHouse | Add Border0 audit logs view |
v2026.7.1
Upgrade note: This is a patch release. Migrations run automatically on startup.
Breaking Changes
No breaking changes in this patch.
Database Migrations
No database migrations in this patch.
Changes
- ALB stickiness cookie forwarding — Fixed an issue where Application Load Balancer stickiness cookies were not being carried across API requests from the client, which could cause chat sessions to be routed improperly.