RunReveal Onboarding Guide

RunReveal is a modern security data platform built on ClickHouse that eliminates traditional SIEM complexity while delivering detection-as-code, AI-powered investigations, and sub-second query performance at scale. This guide walks you through setting up your workspace, connecting data sources, configuring detections, and getting your team productive with RunReveal.

How Logs Flow Through RunReveal

Initial Setup

Create Your Account

Navigate to app.runreveal.com and create your account:

Click Sign Up and enter your email address
Check your email for the verification link
Complete account setup with your name and company information

Your workspace is automatically created with default settings:

Workspace name: your-email's Workspace
Admin role: Automatically assigned
Default email notifications: Pre-configured

Verify Workspace Setup

Verify workspace configuration:

Go to Settings → Workspace Settings in your dashboard
Check workspace name and admin role
Note your workspace ID for CLI usage (Optional)

Expected workspace structure:

Admin access enabled
Default notification channel active
API tokens available under Settings → API Tokens

Verify notification channels:

Go to Notification Channels in your dashboard
Confirm default email channel is active
Test notification delivery

Default email notifications include:

Detection alerts
System health notifications
Source connection status

Generate API token for CLI access (Optional):

Go to Settings → API Tokens
Click “Create Token”
Name: “CLI Access”
Copy token for later use

Store your API token securely - you’ll need it for:

RunReveal CLI operations
CI/CD integrations
API-based automation

Invite Team Members

RunReveal supports four role types: Admin (full access), Analyst (detection management), Operator (query and reporting), and CIBot (CI/CD automation).

Invite team members through the dashboard:

Navigate to Settings → Workspace Members
Click Invite User
Enter email address and select appropriate role
Click Send Invitation

Invited users receive an email with signup instructions. You’ll see their status update from “Pending” to “Active” once they accept.

Role Capabilities:

Role	Detections	Sources	Workspace Settings	Query Access
Admin	✓	✓	✓	✓
Analyst	✓	Read-only	Read-only	✓
Operator	Read-only	Read-only	Read-only	✓
CIBot	✓	Read-only	Read-only	✓

Connect Your First Source

Start with Okta, AWS CloudTrail, or GitHub - these are the easiest integrations to configure and provide immediate security value.

Choose Integration Type

RunReveal supports three primary ingestion methods:

API Polling: Okta, GitHub, Office 365
Object Storage: S3, R2, GCS, Azure Blob
Webhooks: Vector, Fluent Bit, custom

Configure Okta Integration

Get Okta API Token:

Log into Okta Admin Console
Navigate to Security → API → Tokens
Click Create Token
Name: RunReveal Integration
Copy the token (starts with SSWS-)

⚠️

Store your Okta API token securely - it won’t be shown again after creation.

Configure in RunReveal:

Go to Sources in your dashboard
Click Add Source → Okta
Enter configuration:
- Domain: company.okta.com
- API Token: Your SSWS token
- Log Types: System logs, User events, Authentication events
Click Test Connection
Click Save

Expected result: Logs start flowing within 60-120 seconds.

Verify Data Flow:

-- Check for Okta logs
SELECT 
  eventName,
  COUNT(*) as event_count
FROM logs 
WHERE sourceType = 'okta'
  AND receivedAt > now() - INTERVAL 5 MINUTE
GROUP BY eventName
ORDER BY event_count DESC

Navigate to Sources → Okta → Recent Events to view live log data.

Configure AWS CloudTrail

Deploy CloudFormation Stack:

Use RunReveal’s pre-built template from the AWS Console
Stack name: RunRevealSetup
Parameters: Accept defaults
Capabilities: Acknowledge IAM resource creation
Wait for stack creation (2-3 minutes)

The CloudFormation template creates an S3 bucket, enables CloudTrail logging, and configures cross-account access for RunReveal.

Add Source in RunReveal:

Go to Sources → Add Source → AWS CloudTrail
Enter configuration:
- S3 Bucket: Your CloudTrail bucket name
- Region: Your AWS region
- Role ARN: (leave blank for CloudFormation setup)
Click Save

Verify CloudTrail logs:

-- Check for AWS CloudTrail events
SELECT 
  eventName,
  userIdentity.type,
  COUNT(*) as event_count
FROM logs 
WHERE sourceType = 'aws-cloudtrail'
  AND receivedAt > now() - INTERVAL 1 HOUR
GROUP BY eventName, userIdentity.type
ORDER BY event_count DESC
LIMIT 10

Configure and Test Detections

Detections continuously monitor your logs for security events. Create detections as SQL queries or Sigma rules, then configure notification channels for alerts. This section walks you through setting up a webhook source, sending test data, creating a detection, and viewing the results.

Set Up Webhook Source for Testing

Use webhooks for custom applications, Vector, Fluent Bit, or any log source that can POST JSON via HTTP. We’ll use a webhook to send test data that will trigger our detection.

Create Webhook Source:

Go to Sources → Add Source → Webhook
Configure webhook name and description
Copy your webhook URL and bearer token (if authentication is enabled)

⚠️

Protect your webhook URL - it provides write access to your RunReveal workspace.

Send Test Security Event

Send a test security event that will match a detection rule. This example simulates a suspicious login attempt:

curl -X POST \
  https://api.runreveal.com/sources/hook/YOUR_SOURCE_ID \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_BEARER_TOKEN" \
  -d '{
    "timestamp": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'",
    "source": "test-system",
    "eventName": "suspicious_login",
    "severity": "high",
    "user": "test-user",
    "srcIP": "192.168.1.100",
    "action": "login_attempt",
    "result": "success",
    "user_agent": "curl-test",
    "metadata": {
      "login_method": "ssh",
      "session_id": "test-123"
    }
  }'

Verify Log Ingestion

Check that your test log was received in the logs table:

-- Verify webhook logs were received
SELECT 
  receivedAt,
  sourceType,
  JSONExtractString(rawLog, 'eventName') as eventName,
  JSONExtractString(rawLog, 'user') as user,
  JSONExtractString(rawLog, 'srcIP') as srcIP,
  JSONExtractString(rawLog, 'severity') as severity,
  rawLog
FROM logs
WHERE sourceType = 'structured-webhook'
  AND JSONExtractString(rawLog, 'eventName') = 'suspicious_login'
  AND receivedAt > now() - INTERVAL 5 MINUTE
ORDER BY receivedAt DESC
LIMIT 10

Expected Results: You should see one or more rows with:

eventName: suspicious_login
user: test-user
srcIP: 192.168.1.100
severity: high
rawLog: Full JSON object with all fields

Create Your First Detection

Navigate to Detections → Create Detection:

Example: Suspicious Login Detection

This detection will trigger on the suspicious_login events from your webhook source.

Configuration:

Name: test-suspicious-login
Type: SQL

Query:

SELECT
  JSONExtractString(rawLog, 'eventName') as eventName,
  JSONExtractString(rawLog, 'user') as user,
  JSONExtractString(rawLog, 'srcIP') as srcIP,
  JSONExtractString(rawLog, 'user_agent') as user_agent,
  JSONExtractString(rawLog, 'severity') as severity,
  JSONExtractString(rawLog, 'metadata', 'login_method') as login_method,
  receivedAt
FROM logs
WHERE sourceType = 'structured-webhook'
  AND JSONExtractString(rawLog, 'eventName') = 'suspicious_login'
  AND JSONExtractString(rawLog, 'srcIP') = '192.168.1.100'
  AND receivedAt BETWEEN {from:DateTime} AND {to:DateTime}

Schedule: */5 * * * * (every 5 minutes)
Severity: Medium
Categories: ["authentication", "test"]
Notification Channels: Leave empty for now (this will create signals)

What This Detection Does:

Monitors webhook logs for suspicious_login events
Filters for events from the specific test IP (192.168.1.100)
Extracts key fields: user, source IP, user agent, severity, and login method
Runs every 5 minutes to check for matching events

After Creating the Detection:

Click Test Detection to verify the query returns your test log
Review the results to confirm it matches your webhook event
Click Save and Enable

View Detection Results

After the detection runs (wait up to 5 minutes or manually trigger it), query the signals table to see the detection results:

View Signals:

-- View signals generated by your detection
SELECT 
  detectionName,
  severity,
  recordsReturned,
  categories,
  createdAt,
  results
FROM signals
WHERE detectionName = 'test-suspicious-login'
ORDER BY createdAt DESC
LIMIT 10

What You’re Querying: The signals table contains detection results that don’t have notification channels configured. Each row represents one execution of your detection query.

Expected Results: You should see one or more rows with:

detectionName: test-suspicious-login - The name of your detection
recordsReturned: 1 (or more) - Number of log entries that matched your detection query
severity: Medium - The severity you configured for the detection
categories: ['authentication', 'test'] - The categories you assigned
createdAt: Timestamp when the detection query executed
results: A JSON array string containing the matched log entries. Each entry includes the fields you selected in your detection query (eventName, user, srcIP, user_agent, severity, login_method, receivedAt)

Example results JSON structure:

[
  {
    "eventName": "suspicious_login",
    "user": "test-user",
    "srcIP": "192.168.1.100",
    "user_agent": "curl-test",
    "severity": "high",
    "login_method": "ssh",
    "receivedAt": "2025-01-15T14:30:00Z"
  }
]

View All Detection Results:

To see all detection results (both signals and alerts), query the detections table:

-- View all detection results for your test detection
SELECT 
  detectionName,
  severity,
  recordsReturned,
  categories,
  notificationNames,
  createdAt,
  results
FROM detections
WHERE detectionName = 'test-suspicious-login'
ORDER BY createdAt DESC
LIMIT 10

What You’re Querying: The detections table contains all detection results, regardless of notification configuration. The notificationNames field distinguishes signals from alerts.

Expected Results: Similar to the signals query, but with an additional notificationNames field:

If notificationNames is empty ([]): This detection result is a signal (no notifications sent)
If notificationNames contains values (e.g., ['email', 'slack']): This detection result is an alert (notifications were sent)

Since you created the detection without notification channels, all results should show empty notificationNames arrays, meaning they appear in both the detections and signals tables.

Configure Notification Channels

Set Up Slack Integration:

Go to Notification Channels → Add Channel → Slack
Click Authorize Slack
Select your Slack workspace
Choose channel: #security-alerts
Test notification
Click Save

Configure Email Notifications:

Email channel is pre-configured by default. Customize recipients:

Go to Notification Channels → Email Channel
Add recipients
Configure email format
Click Save

Set Up PagerDuty Integration:

Create PagerDuty Integration in PagerDuty console
Copy Integration Key
Go to Notification Channels → Add Channel → PagerDuty in RunReveal
Paste Integration Key
Configure incident severity mapping
Test integration

Enable and Monitor Detections

Monitor in Dashboard:

Navigate to Detections dashboard to view:

Active detections count
Detection success rate
Recent signals and alerts generated
Average execution time

Next Steps:

The detection will run automatically every 5 minutes based on the schedule
Query the signals table (see queries above) to view detection results
When ready, add notification channels to your detection to convert signals into alerts
Edit your detection and attach notification channels to start receiving alerts

Explore Platform Features

Run SQL Queries

Navigate to Explorer or Search and try these queries:

Most Common Events (24 hours):

SELECT 
  eventName,
  sourceType,
  COUNT(*) as event_count,
  COUNT(DISTINCT src.ip) as unique_ips
FROM logs 
WHERE receivedAt > now() - INTERVAL 24 HOUR
GROUP BY eventName, sourceType
ORDER BY event_count DESC
LIMIT 20

Top Active Users:

SELECT 
  actor.email as user,
  COUNT(*) as total_events,
  COUNT(DISTINCT eventName) as unique_actions,
  MIN(receivedAt) as first_seen,
  MAX(receivedAt) as last_seen
FROM logs 
WHERE actor.email != ''
  AND receivedAt > now() - INTERVAL 7 DAY
GROUP BY actor.email
ORDER BY total_events DESC
LIMIT 50

Use AI Chat

AI Chat uses Claude to help you investigate security events, write queries, and analyze patterns across your logs.

Enable AI Chat:

Go to Settings → AI Settings
Configure AI provider (AWS Bedrock, OpenAI, or Azure OpenAI)
Enter your API credentials
Click Test Connection then Save

Try AI Chat:

Navigate to Chat and try prompts like:

“What are the most common event types in the last 24 hours?”
“Show me any failed login attempts from unusual locations”
“Write a detection for AWS IAM policy changes”

Set Up Dashboards

Create Custom Dashboard:

Go to Dashboards → Create Dashboard
Dashboard name: Security Overview
Description: Real-time security metrics and alerts
Click Create

Add Dashboard Widgets:

Available widget types include Time Series Charts, Counter Widgets, and Table Widgets. Each widget is powered by SQL queries.

Share Dashboard:

Open your dashboard
Click Share button
Configure access settings
Copy share link
Distribute to team members

Install RunReveal CLI (Optional)

The RunReveal CLI enables detection-as-code workflows, automated testing, and CI/CD integration.

Install via Homebrew (macOS):

brew tap runreveal/runreveal
brew install runreveal

Install Binary (Linux):

curl -L https://github.com/runreveal/runreveal/releases/latest/download/runreveal-linux-amd64 -o runreveal
chmod +x runreveal
sudo mv runreveal /usr/local/bin/

Configure CLI:

# Authenticate with API token
runreveal config set api-token YOUR_API_TOKEN
 
# Set default workspace
runreveal config set workspace YOUR_WORKSPACE_ID
 
# Verify configuration
runreveal config list

Common CLI Commands:

# List all detections
runreveal detections list
 
# Create new detection
runreveal detections create --file detection.yaml
 
# Test detection locally
runreveal detections test --name "Failed Logins"
 
# Export detections to YAML
runreveal detections export --output ./detections/
 
# View recent logs
runreveal logs query "SELECT * FROM logs LIMIT 10"

Helpful Links

Now that you have completed RunReveal onboarding, explore the detailed configuration guides:

Detections - Create and manage security detection rules
Sigma Streaming - Use Sigma rules for standardized threat detection
Detection as Code - Manage detections through code and version control
Sources - Set up data collection from your systems
Pipelines - Configure data processing workflows
Notifications Getting Started - Set up alerting and notification channels
AI Chat - Use AI-powered analysis for threat hunting and investigation
Enrichments - Add context and metadata to your security events

How To Guides Quick Start: Detections, Signals, and Alerts