Comment on page

What is RunReveal

Welcome to RunReveal's documentation website
RunReveal is a security data platform designed to make understanding your environment a breeze. Our goal is to take any company's security data and logs, instantly turn them into actionable insights, and provide the tools to build your own detailed detection and alerting rules.
The main concepts that our customers need to be familiar with.


Places we read data from. There are two types of sources, generic sources and native sources.
  • Native sources are data types and integrations we support natively within our platform.
  • Generic sources are just blobs of arbitrary data that you parse within RunReveal, that a native source does not exist for. Generic sources exist so you can still make use of data that our platform does not yet natively support.


Functions that you write that parse generic source data. These functions are written in python and return a Normalized dictionary that we store in the runreveal_logs table.
All transforms are written in python and there is currently no maximum to the number of transforms that can be uploaded.


Functions that you write that can be useful for alerting. If a trigger function returns true the log is saved to an additional table of logs that alerted, and all attached notification channels are informed that the trigger returned true.
All triggers are written in python and there is currently no maximum to the number of triggers that can be uploaded.


RunReveal integrations that inform you when something happens based on the result of a trigger function. If a trigger returns true, all of the notification channels directly attached to that trigger are forwarded the event.
Today we support three notification types:
  • Slack
  • Email
  • Webhook


All of the data that RunReveal collects is searchable. The RunReveal CLI exposes the runreveal logs command
The SQL syntax used to query RunReveal's logs is Clickhouse's dialect of SQL. A reference of this SQL is available here:
We support a few types of querying.
  • REPL -- quickly and iteratively query your logs in a CLI loop
  • Named Queries -- You can create a complex query, save it, and run it by name.