RunReveal
Reference

Using the CLI

Install the CLI

Install homebrew for macOS, then enable our homebrew tap and install the CLI:

brew tap runreveal/runreveal
brew install runreveal

Login to RunReveal

Once RunReveal has enabled your domain on the platform, login with:

runreveal init

The init command is used to both create an account or log in to an existing account. If it is your first time running init, you'll be prompted to enter the name of your workspace.

runreveal init
Enter your workspace name: Example Inc.

You can validate that you're logged in by running the following command

runreveal config account
👍 You're logged in!
User ID: 2KUOdUOFyuTbPD7amU3WidyfOzf
User Email: [email protected]

Note: Some commands like runreveal config account require runreveal init authorization to display results but the majority of commands can be ran with token authorization via environment variables.

Now you're ready to search your logs like a pro and manage your RunReveal account from the terminal!

Environment Variables

RunReveal CLI uses environment variables to set up specific aspects of the CLI configuration. These are helpful if you don't want to run runreveal init, configure your active workspace, proxy the CLI through a local proxy, or any number of use cases.

RUNREVEAL_TOKEN

The RUNREVEAL_TOKEN environment variable is used to authenticate your CLI session. It supplants the need to run runreveal init and it will override the token stored in your keychain or the RunReveal configuration file.

RUNREVEAL_WORKSPACE

This environment variable is used to set the active workspace for your CLI session. It will override the workspace ID if one is set in the RunReveal configuration file or keychain. This ID must be a workspace ID, not the name of your workspace.

RUNREVEAL_PROFILE

Selects a named profile for the current invocation. This is equivalent to passing --profile <name> on the command line and overrides the current profile stored in the keyring or ~/.runreveal. Useful in CI/CD environments that manage credentials for multiple workspaces:

export RUNREVEAL_PROFILE=production
runreveal detections sync -d ./detections

RUNREVEAL_BASEURL

For customers who have deployed the RunReveal API on-prem or in a private cloud, you can set the RUNREVEAL_BASEURL environment variable to point the CLI to your RunReveal API instance.

RunReveal Cloud:

export RUNREVEAL_BASEURL=https://api.runreveal.com

Custom/On-Prem Instances:

export RUNREVEAL_BASEURL="https://api.YOUR_BASE_DOMAIN.runreveal.com"

RUNREVEAL_APPBASEURL

For customers who have deployed RunReveal on-prem or in a private cloud, you can set the RUNREVEAL_APPBASEURL environment variable to specify the URL that users are routed to when running runreveal init to log into their workspace.

RunReveal Cloud:

export RUNREVEAL_APPBASEURL=https://app.runreveal.com

Custom/On-Prem Instances:

export RUNREVEAL_APPBASEURL="https://app.YOUR_BASE_DOMAIN.runreveal.com"

RUNREVEAL_DEBUG

The RUNREVEAL_DEBUG environment variable is used to enable debug logging for the CLI. This is helpful if you're troubleshooting an issue or want to see more information about the requests and responses from the RunReveal API.

This will output the HTTP requests that are being sent to the RunReveal API.

export RUNREVEAL_DEBUG=1

RUNREVEAL_HEADER_FILE

This is a file that contains additional headers that should be sent along with all HTTP requests that the CLI makes. This is helpful if you're using a proxy or need to send additional headers for authentication.

export RUNREVEAL_HEADER_FILE=/path/to/headers.json

The structure of the header file is a JSON object in this format:

{
    "Headers": {
        "Custom-Header": "value",
        "Another-Header": "value"
    }
}

Migrating to Multi-Profile Credentials

Starting with the version that introduced profile support, the CLI stores credentials in a new format that supports multiple named profiles. The old single-credential format (a ~/.runreveal file or keychain entry with no schemaVersion field) is no longer recognized.

If you use RUNREVEAL_TOKEN and RUNREVEAL_WORKSPACE — no action needed. These environment variables bypass stored credentials entirely and are unaffected by this change.

If you use the interactive login (runreveal init) — re-run runreveal init once after upgrading. Your browser-auth session is still valid on the server; the CLI will write a fresh credential file in the new format.

If you write ~/.runreveal manually in CI/CD — switch to RUNREVEAL_TOKEN and RUNREVEAL_WORKSPACE instead. This is the recommended approach for automation because API tokens are long-lived and do not require a browser flow. If you must use file-based credentials (for example, in an environment with no keychain and restricted env vars), write the file in the new v1 format:

{
  "schemaVersion": 1,
  "profiles": {
    "default": {
      "apiBaseURL": "https://api.runreveal.com",
      "appBaseURL": "https://app.runreveal.com",
      "session": "YOUR_API_TOKEN",
      "workspaceId": "YOUR_WORKSPACE_ID"
    }
  },
  "currentProfile": "default"
}

For on-prem or custom-domain deployments, replace the apiBaseURL and appBaseURL values with your instance URLs. The old format fields Session and DefaultWorkspace are silently ignored after the upgrade.

RunReveal CLI Commands

Complete reference for all RunReveal CLI commands and subcommands.

agents

Create, list, update, silence, and delete scheduled AI agents in the workspace.

Usage:
  runreveal agents [command]
 
Available Commands:
  create      
  delete      
  get         
  list        
  silence     
  update      
 
Flags:
  -h, --help   help for agents
 
Global Flags:
      --header-file string   File containing headers to be used by the http client
 
Use "runreveal agents [command] --help" for more information about a command.

agents create

Usage:
  runreveal agents create [flags]
 
Flags:
  -h, --help   help for create
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

agents delete

Usage:
  runreveal agents delete [flags]
 
Flags:
  -h, --help   help for delete
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

agents get

Usage:
  runreveal agents get [flags]
 
Flags:
  -h, --help   help for get
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

agents list

Usage:
  runreveal agents list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

agents silence

Usage:
  runreveal agents silence [flags]
 
Flags:
  -h, --help   help for silence
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

agents update

Usage:
  runreveal agents update [flags]
 
Flags:
  -h, --help   help for update
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

alerts

Send notifications and triage alerts via the API.

Usage:
  runreveal alerts [command]
 
Available Commands:
  send-notification 
  triage            
 
Flags:
  -h, --help   help for alerts
 
Global Flags:
      --header-file string   File containing headers to be used by the http client
 
Use "runreveal alerts [command] --help" for more information about a command.

alerts send-notification

Usage:
  runreveal alerts send-notification [flags]
 
Flags:
  -h, --help   help for send-notification
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

alerts triage

Usage:
  runreveal alerts triage [flags]
 
Flags:
  -h, --help   help for triage
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

automations

Create and update investigation automation configurations.

Usage:
  runreveal automations [command]
 
Available Commands:
  create      
  update      
 
Flags:
  -h, --help   help for automations
 
Global Flags:
      --header-file string   File containing headers to be used by the http client
 
Use "runreveal automations [command] --help" for more information about a command.

automations create

Usage:
  runreveal automations create [flags]
 
Flags:
  -h, --help   help for create
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

automations update

Usage:
  runreveal automations update [flags]
 
Flags:
  -h, --help   help for update
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

custom-views

Manage custom views (list, get, create, update, delete, test).

Usage:
  runreveal custom-views [command]
 
Available Commands:
  create      
  delete      
  get         
  list        
  test        
  update      
 
Flags:
  -h, --help   help for custom-views
 
Global Flags:
      --header-file string   File containing headers to be used by the http client
 
Use "runreveal custom-views [command] --help" for more information about a command.

custom-views create

Usage:
  runreveal custom-views create [flags]
 
Flags:
  -h, --help   help for create
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

custom-views delete

Usage:
  runreveal custom-views delete [flags]
 
Flags:
  -h, --help   help for delete
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

custom-views get

Usage:
  runreveal custom-views get [flags]
 
Flags:
  -h, --help   help for get
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

custom-views list

Usage:
  runreveal custom-views list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

custom-views test

Usage:
  runreveal custom-views test [flags]
 
Flags:
      --columns string    (required) (JSON format)
  -h, --help              help for test
      --sourceid string   (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

custom-views update

Usage:
  runreveal custom-views update [flags]
 
Flags:
  -h, --help   help for update
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

investigations

List, create, update, delete, and query investigations (including by alert or detection).

Usage:
  runreveal investigations [command]
 
Available Commands:
  alert-status 
  bulk-close   
  by-alert     
  by-detection 
  create       
  delete       
  get          
  list         
  update       
 
Flags:
  -h, --help   help for investigations
 
Global Flags:
      --header-file string   File containing headers to be used by the http client
 
Use "runreveal investigations [command] --help" for more information about a command.

investigations alert-status

Usage:
  runreveal investigations alert-status [flags]
 
Flags:
  -h, --help   help for alert-status
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

investigations bulk-close

Usage:
  runreveal investigations bulk-close [flags]
 
Flags:
  -h, --help   help for bulk-close
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

investigations by-alert

Usage:
  runreveal investigations by-alert [flags]
 
Flags:
  -h, --help   help for by-alert
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

investigations by-detection

Usage:
  runreveal investigations by-detection [flags]
 
Flags:
  -h, --help   help for by-detection
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

investigations create

Usage:
  runreveal investigations create [flags]
 
Flags:
      --description string   
  -h, --help                 help for create
      --severity string      
      --status string        
      --tags strings         
      --title string
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

investigations delete

Usage:
  runreveal investigations delete [flags]
 
Flags:
  -h, --help   help for delete
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

investigations get

Usage:
  runreveal investigations get [flags]
 
Flags:
  -h, --help   help for get
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

investigations list

Usage:
  runreveal investigations list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

investigations update

Usage:
  runreveal investigations update [flags]
 
Flags:
  -h, --help   help for update
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

openai

Update OpenAI-compatible workspace configuration (see also aimodels for provider setup).

Usage:
  runreveal openai [command]
 
Available Commands:
  config-update 
 
Flags:
  -h, --help   help for openai
 
Global Flags:
      --header-file string   File containing headers to be used by the http client
 
Use "runreveal openai [command] --help" for more information about a command.

openai config-update

Usage:
  runreveal openai config-update [flags]
 
Flags:
  -h, --help   help for config-update
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

threatintel

View and update workspace threat intelligence integrations (VirusTotal, CrowdStrike).

Usage:
  runreveal threatintel [command]
 
Available Commands:
  info               
  update-crowdstrike 
  update-virustotal  
 
Flags:
  -h, --help   help for threatintel
 
Global Flags:
      --header-file string   File containing headers to be used by the http client
 
Use "runreveal threatintel [command] --help" for more information about a command.

threatintel info

Usage:
  runreveal threatintel info [flags]
 
Flags:
  -h, --help   help for info
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

threatintel update-crowdstrike

Usage:
  runreveal threatintel update-crowdstrike [flags]
 
Flags:
  -h, --help   help for update-crowdstrike
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

threatintel update-virustotal

Usage:
  runreveal threatintel update-virustotal [flags]
 
Flags:
  -h, --help   help for update-virustotal
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

tokens

Create workspace API tokens.

Usage:
  runreveal tokens [command]
 
Available Commands:
  create      
 
Flags:
  -h, --help   help for tokens
 
Global Flags:
      --header-file string   File containing headers to be used by the http client
 
Use "runreveal tokens [command] --help" for more information about a command.

tokens create

Usage:
  runreveal tokens create [flags]
 
Flags:
  -h, --help   help for create
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

aimodels

Configure AI model integrations for RunReveal's AI-powered investigation features. Set up connections to OpenAI, Anthropic Claude, Google AI, and AWS Bedrock for enhanced log analysis and automated threat detection.

Usage:
  runreveal aimodels [command]
 
Available Commands:
  info                   
  update-anthropic       
  update-bedrock         
  update-googleai        
  update-openai          
  update-provider-config 
 
Flags:
  -h, --help   help for aimodels
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

aimodels info

Usage:
  runreveal aimodels info [flags]
 
Flags:
  -h, --help   help for info
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

aimodels update-anthropic

Usage:
  runreveal aimodels update-anthropic [flags]
 
Flags:
  -h, --help   help for update-anthropic
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

aimodels update-bedrock

Usage:
  runreveal aimodels update-bedrock [flags]
 
Flags:
  -h, --help   help for update-bedrock
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

aimodels update-googleai

Usage:
  runreveal aimodels update-googleai [flags]
 
Flags:
  -h, --help   help for update-googleai
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

aimodels update-openai

Usage:
  runreveal aimodels update-openai [flags]
 
Flags:
  -h, --help   help for update-openai
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

aimodels update-provider-config

Usage:
  runreveal aimodels update-provider-config [flags]
 
Flags:
  -h, --help   help for update-provider-config
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

completion

Generate shell autocompletion scripts to enable tab completion for RunReveal CLI commands in bash, zsh, fish, and PowerShell environments.

Generate the autocompletion script for runreveal for the specified shell.
See each sub-command's help for details on how to use the generated script.
 
Usage:
  runreveal completion [command]
 
Available Commands:
  bash        Generate the autocompletion script for bash
  fish        Generate the autocompletion script for fish
  powershell  Generate the autocompletion script for powershell
  zsh         Generate the autocompletion script for zsh
 
Flags:
  -h, --help   help for completion
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

completion bash

Generate the autocompletion script for the bash shell.
 
This script depends on the 'bash-completion' package.
If it is not installed already, you can install it via your OS's package manager.
 
To load completions in your current shell session:
 
	source <(runreveal completion bash)
 
To load completions for every new session, execute once:
 
#### Linux:
 
	runreveal completion bash > /etc/bash_completion.d/runreveal
 
#### macOS:
 
	runreveal completion bash > $(brew --prefix)/etc/bash_completion.d/runreveal
 
You will need to start a new shell for this setup to take effect.
 
Usage:
  runreveal completion bash
 
Flags:
  -h, --help              help for bash
      --no-descriptions   disable completion descriptions
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

completion fish

Generate the autocompletion script for the fish shell.
 
To load completions in your current shell session:
 
	runreveal completion fish | source
 
To load completions for every new session, execute once:
 
	runreveal completion fish > ~/.config/fish/completions/runreveal.fish
 
You will need to start a new shell for this setup to take effect.
 
Usage:
  runreveal completion fish [flags]
 
Flags:
  -h, --help              help for fish
      --no-descriptions   disable completion descriptions
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

completion powershell

Generate the autocompletion script for powershell.
 
To load completions in your current shell session:
 
	runreveal completion powershell | Out-String | Invoke-Expression
 
To load completions for every new session, add the output of the above command
to your powershell profile.
 
Usage:
  runreveal completion powershell [flags]
 
Flags:
  -h, --help              help for powershell
      --no-descriptions   disable completion descriptions
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

completion zsh

Generate the autocompletion script for the zsh shell.
 
If shell completion is not already enabled in your environment you will need
to enable it.  You can execute the following once:
 
	echo "autoload -U compinit; compinit" >> ~/.zshrc
 
To load completions in your current shell session:
 
	source <(runreveal completion zsh)
 
To load completions for every new session, execute once:
 
#### Linux:
 
	runreveal completion zsh > "${fpath[1]}/_runreveal"
 
#### macOS:
 
	runreveal completion zsh > $(brew --prefix)/share/zsh/site-functions/_runreveal
 
You will need to start a new shell for this setup to take effect.
 
Usage:
  runreveal completion zsh [flags]
 
Flags:
  -h, --help              help for zsh
      --no-descriptions   disable completion descriptions
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

config

Manage RunReveal CLI configuration settings, view account information, and handle subscription management. Access stored credentials and display configuration for external integrations like Grafana.

Manage your config
 
Usage:
  runreveal config [command]
 
Available Commands:
  account     List information about your account
  show        Print the configuration stored in the keychain
  subscribe   Subscribe to runreveal
 
Flags:
  -h, --help   help for config
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

config account

List information about your account
 
Usage:
  runreveal config account [flags]
 
Flags:
  -h, --help   help for account
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

config show

Print the configuration stored in the keychain
 
Usage:
  runreveal config show [flags]
 
Flags:
  -g, --grafana   Print the required config options needed for Grafana setup
  -h, --help      help for show
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

config subscribe

Subscribe to runreveal
 
Usage:
  runreveal config subscribe [flags]
 
Flags:
  -h, --help      help for subscribe
      --no-open   Set this flag if you don't want to open a browser window automatically.
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

detections

Create, test, and manage custom security detection rules using SQL or Sigma formats. Supports detections-as-code workflows with Git-style synchronization, local testing, and export capabilities.

Usage:
  runreveal detections [command]
 
Available Commands:
  create-wizard Create a new detection using the wizard.
  export        Export all or a specified detection as a config file to the given directory
  list
  run           Provided a streaming detection, run against provided log samples and get whether there would be matches.
  set-enabled
  sync          List changes between detections in the given directory and detections defined in Runreveal
  test          Given a detection config file, test the detection against the given query file using a time range provided.
 
Flags:
  -h, --help   help for detections
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

detections create-wizard

Create a new detection using the wizard.
 
Usage:
  runreveal detections create-wizard [flags]
 
Flags:
  -h, --help   help for create-wizard
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

detections export

Export all or a specified detection as a config file to the given directory
 
Usage:
  runreveal detections export [flags]
 
Flags:
  -d, --directory string               Directory to export detections to (default ".")
      --flat                           Flatten the exported detection directory structure
  -f, --format detectionConfigFormat   The format to export the detection as. allowed: "yaml", "json" (default yaml)
  -h, --help                           help for export
  -n, --name string                    Name of the detection to export, if not specified all detections will be exported
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

detections list

Usage:
  runreveal detections list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

detections run

Provided a streaming detection, run against provided log events in ndjson format and get whether there would be a match per line.
 
Usage:
  runreveal detections run [flags]
 
Flags:
      --fail-no-match   Whether the command should fail when there's no match. (default true)
  -f, --file string     Detection config file
  -h, --help            help for run
  -i, --input string    Sample input file in JSON format
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

detections set-enabled

Usage:
  runreveal detections set-enabled [flags]
 
Flags:
      --enabled string   (required)
  -h, --help             help for set-enabled
      --id string        (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

detections sync

List changes between detections in the given directory and detections defined in Runreveal
 
Usage:
  runreveal detections sync [flags]
 
Flags:
  -d, --directory string   Directory to recursively upload detections from (default ".")
  -t, --dry-run            Don't execute changes, just print them
  -h, --help               help for sync
  -i, --interactive        Interactive mode, allows you to preview changes before applying them
  -o, --overwrite          Overwrite pre-existing UI detections with the same name.
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

detections test

Given a detection config file, test the detection against the given query file using a time range provided.
 
Usage:
  runreveal detections test [flags]
 
Flags:
  -f, --file string   Detection config file
      --from string   From time to use, if your query uses the {from:DateTime} macro (default "now-1h")
  -h, --help          help for test
      --to string     To time to use, if your query uses the {to:DateTime} macro (default "now")
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

enrichments

Add contextual data to logs through enrichment rules. Enhance raw log data with IP geolocation, threat intelligence, asset information, and custom business context for improved analysis and alerting.

Usage:
  runreveal enrichments [command]
 
Available Commands:
  create      
  delete      
  get         
  list        
  set-enabled 
  update      
 
Flags:
  -h, --help   help for enrichments
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

enrichments create

Usage:
  runreveal enrichments create [flags]
 
Flags:
      --description string   
      --displayname string   
  -h, --help                 help for create
      --isactive             
      --name string          (required)
      --path string          (required)
      --rules string         (required) (JSON format)
      --sources strings      (required)
      --workspaceid string   (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

enrichments delete

Usage:
  runreveal enrichments delete [flags]
 
Flags:
  -h, --help        help for delete
      --id string   (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

enrichments get

Usage:
  runreveal enrichments get [flags]
 
Flags:
  -h, --help        help for get
      --id string   ID or name of enrichment to get (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

enrichments list

Usage:
  runreveal enrichments list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

enrichments set-enabled

Usage:
  runreveal enrichments set-enabled [flags]
 
Flags:
      --enabled     (required)
  -h, --help        help for set-enabled
      --id string   (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

enrichments update

Usage:
  runreveal enrichments update [flags]
 
Flags:
      --description string   
      --displayname string   
  -h, --help                 help for update
      --id string            (required)
      --isactive             
      --name string          (required)
      --path string          (required)
      --rules string         (required) (JSON format)
      --sources strings      (required)
      --workspaceid string   (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

filters

Manage data filtering rules to control which logs are ingested and processed. Configure filters to reduce noise, manage costs, and focus on security-relevant events.

Usage:
  runreveal filters [command]
 
Available Commands:
  list        
 
Flags:
  -h, --help   help for filters
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

filters list

Usage:
  runreveal filters list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

init

Initialize RunReveal CLI authentication and workspace configuration. Sets up credentials, selects default workspace, and configures API endpoints for first-time users.

Get started with runreveal
 
Usage:
  runreveal init [flags]
 
Flags:
  -h, --help          help for init
      --no-keychain   Set this flag if want to disable the keychain and save your RunReveal session to your home directory
      --no-open       Set this flag if you don't want to open a browser window automatically.
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

lint

Validate and format detection rule files for syntax errors and best practices. Supports both Sigma rule validation and SQL query formatting using ClickHouse standards.

Lint detection files
 
Usage:
  runreveal lint [command]
 
Available Commands:
  sigma       Lint Sigma detections files
  sql         Format SQL detection files - requires clickhouse CLI installed
 
Flags:
  -h, --help   help for lint
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

lint sigma

Lint Sigma detections files
 
Usage:
  runreveal lint sigma [files or directories...] [flags]
 
Flags:
  -h, --help   help for sigma
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

lint sql

Format SQL detection files - requires clickhouse CLI installed
 
Usage:
  runreveal lint sql [files or directories...] [flags]
 
Flags:
  -h, --help   help for sql
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

logs

Execute log searches and run saved queries against your security data. Supports multiple output formats (table, JSON, CSV) and parameterized queries for flexible analysis.

Search your logs
 
Usage:
  runreveal logs [flags]
 
Flags:
  -f, --format string          Prints the results to standard out in the supplied format [csv, json, table] (default "table")
  -h, --help                   help for logs
      --name string            The name of a previously saved query.
  -p, --param stringToString   Named query parameter mappings, -p key=value (default [])
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-detections

Subscribe to community-maintained and premium detection rules from RunReveal's detection library. Access curated threat detection content without writing custom rules.

Usage:
  runreveal managed-detections [command]
 
Available Commands:
  clone                    
  get                      
  get-subscription         
  list                     
  list-subscriptions       
  subscribe                
  subscription-set-enabled 
  unsubscribe              
  update-subscription      
 
Flags:
  -h, --help   help for managed-detections
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-detections clone

Usage:
  runreveal managed-detections clone [flags]
 
Flags:
  -h, --help        help for clone
      --id string   (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-detections get

Usage:
  runreveal managed-detections get [flags]
 
Flags:
  -h, --help          help for get
      --name string   (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-detections get-subscription

Usage:
  runreveal managed-detections get-subscription [flags]
 
Flags:
  -h, --help          help for get-subscription
      --name string   (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-detections list

Usage:
  runreveal managed-detections list [flags]
 
Flags:
  -h, --help           help for list
      --type strings
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-detections list-subscriptions

Usage:
  runreveal managed-detections list-subscriptions [flags]
 
Flags:
  -h, --help           help for list-subscriptions
      --type strings   Detection types to list (can repeat for multiple types)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-detections subscribe

Usage:
  runreveal managed-detections subscribe [flags]
 
Flags:
      --disabled                
  -h, --help                    help for subscribe
      --id string               (required)
      --notifications strings   Notification channels for the detection
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-detections subscription-set-enabled

Usage:
  runreveal managed-detections subscription-set-enabled [flags]
 
Flags:
      --enabled     (required)
  -h, --help        help for subscription-set-enabled
      --id string   (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-detections unsubscribe

Usage:
  runreveal managed-detections unsubscribe [flags]
 
Flags:
  -h, --help        help for unsubscribe
      --id string   (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-detections update-subscription

Usage:
  runreveal managed-detections update-subscription [flags]
 
Flags:
      --enabled                 
  -h, --help                    help for update-subscription
      --id string               (required)
      --notifications strings   Notification channels for the detection
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-enrichments

Subscribe to community-maintained data enrichment rules. Access pre-built enrichment logic for common security use cases like IP reputation, geolocation, and threat intelligence.

Usage:
  runreveal managed-enrichments [command]
 
Available Commands:
  get                
  list               
  list-subscriptions 
  subscribe          
  unsubscribe        
 
Flags:
  -h, --help   help for managed-enrichments
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-enrichments get

Usage:
  runreveal managed-enrichments get [flags]
 
Flags:
  -h, --help        help for get
      --id string   ID or name of managed enrichment to get (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-enrichments list

Usage:
  runreveal managed-enrichments list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-enrichments list-subscriptions

Usage:
  runreveal managed-enrichments list-subscriptions [flags]
 
Flags:
  -h, --help   help for list-subscriptions
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-enrichments subscribe

Usage:
  runreveal managed-enrichments subscribe [flags]
 
Flags:
  -h, --help        help for subscribe
      --id string   ID of the managed enrichment to subscribe to (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

managed-enrichments unsubscribe

Usage:
  runreveal managed-enrichments unsubscribe [flags]
 
Flags:
  -h, --help        help for unsubscribe
      --id string   ID of the managed enrichment to unsubscribe to (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

mcp

Start the Model Context Protocol server to integrate RunReveal with AI tools and editors. Enables AI assistants like Claude, ChatGPT, and Cursor to query your security data and assist with investigations.

Start the MCP server which implements the Model Context Protocol
for interacting with AI models in compatible tools and editors.
 
The server reads requests from stdin and writes responses to stdout, processing messages
according to the JSON-RPC 2.0 protocol.
 
Example:
  runreveal mcp < requests.jsonl
 
Usage:
  runreveal mcp [flags]
 
Flags:
  -h, --help   help for mcp
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

notification-history

View the history of sent notifications and alerts. Track notification delivery status, troubleshoot notification issues, and audit alert communications.

Usage:
  runreveal notification-history [command]
 
Available Commands:
  list          
  list-by-alert 
 
Flags:
  -h, --help   help for notification-history
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

notification-history list

Usage:
  runreveal notification-history list [flags]
 
Flags:
  -h, --help        help for list
      --limit int   help text
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

notification-history list-by-alert

Usage:
  runreveal notification-history list-by-alert [flags]
 
Flags:
      --alertid string   (required)
  -h, --help             help for list-by-alert
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

notifications

Configure notification destinations for security alerts and detection matches. Set up integrations with Slack, email, webhooks, and other communication channels for incident response.

commands for managing notification destinations
 
Usage:
  runreveal notifications [command]
 
Available Commands:
  del         Delete notification destination by ID
  email       Manage email notifications
  list        List slack notification destinations
  slack       Manage slack integration via webhook
  test        Test the notification channel
  webhook     Manage webhooks as a notification source
 
Flags:
  -h, --help   help for notifications
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

notifications del

Delete notification destination by ID
 
Usage:
  runreveal notifications del [flags]
 
Flags:
  -h, --help   help for del
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

notifications email

Manage email notifications
 
Usage:
  runreveal notifications email [command]
 
Available Commands:
  add         Add email notification destination
  update      Edit configuration of your emmail notification
 
Flags:
  -h, --help   help for email
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

notifications list

List slack notification destinations
 
Usage:
  runreveal notifications list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

notifications slack

Manage slack integration via webhook
 
Usage:
  runreveal notifications slack [command]
 
Available Commands:
  add         Add slack notification destination
  update      Edit configuration of your slack notification
 
Flags:
  -h, --help   help for slack
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

notifications test

Test the notification channel
 
Usage:
  runreveal notifications test [flags]
 
Flags:
  -h, --help   help for test
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

notifications webhook

Manage webhooks as a notification source
 
Usage:
  runreveal notifications webhook [command]
 
Available Commands:
  add         Add webhook notification destination
  update      Edit configuration of your webhook notification
 
Flags:
  -h, --help   help for webhook
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

openapi

Generate OpenAPI 3.0 specifications for the RunReveal API. Use the generated specification to build custom integrations, validate API requests, or import into API documentation tools.

Generate the OpenAPI 3.0 specification for the RunReveal API in JSON format.
 
This specification can be used to:
- Generate client libraries for the RunReveal API
- Understand the available endpoints and their schemas
- Import into API documentation tools
- Validate API requests and responses
 
The specification is written directly to a JSON file. If no output file is specified,
it defaults to 'runreveal-openapi.json' in the current directory.
 
Examples:
  runreveal openapi                           # Creates runreveal-openapi.json
  runreveal openapi --output api-spec.json   # Creates api-spec.json
  runreveal openapi -o /path/to/spec.json    # Creates spec at specific path
 
Usage:
  runreveal openapi [flags]
 
Flags:
  -h, --help            help for openapi
  -o, --output string   Output file path for the OpenAPI specification (default "runreveal-openapi.json")
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

pipelines

Monitor and manage data ingestion pipelines. View pipeline status, throughput metrics, and troubleshoot data flow issues from sources to destinations.

Usage:
  runreveal pipelines [command]
 
Available Commands:
  list        
 
Flags:
  -h, --help   help for pipelines
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

pipelines list

Usage:
  runreveal pipelines list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

query

Execute saved queries and manage query scheduling. Run parameterized queries, view scheduled query results, and manage automated query execution for regular reporting.

commands for managing saved queries
 
Usage:
  runreveal query [command]
 
Available Commands:
  run         Execute a named query
  schedule    commands for managing query schedules
 
Flags:
  -h, --help   help for query
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

query run

Execute a named query
 
Usage:
  runreveal query run [flags]
 
Flags:
  -f, --format string          Prints the results to standard out in the supplied format [csv, json, table] (default "table")
  -h, --help                   help for run
  -p, --param stringToString   Named query parameter mappings, -p key=value (default [])
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

query schedule

commands for managing query schedules
 
Usage:
  runreveal query schedule [command]
 
Available Commands:
  result      Display the results from a scheduled query run
 
Flags:
  -h, --help   help for schedule
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

sources

View and manage log data sources connected to RunReveal. Monitor source health, connection status, and data ingestion from various platforms and services.

Usage:
  runreveal sources [command]
 
Available Commands:
  list        
 
Flags:
  -h, --help   help for sources
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

sources list

Usage:
  runreveal sources list [flags]
 
Flags:
  -h, --help           help for list
      --type strings
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

topics

Manage data organization topics for log categorization and routing. Configure how different types of security events are classified and processed within RunReveal.

Usage:
  runreveal topics [command]
 
Available Commands:
  list        
 
Flags:
  -h, --help   help for topics
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

topics list

Usage:
  runreveal topics list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

transforms

Configure data transformation rules to normalize and structure incoming log data. Apply parsing, field mapping, and data standardization before storage in the data lake.

Usage:
  runreveal transforms [command]
 
Available Commands:
  list        
 
Flags:
  -h, --help   help for transforms
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

transforms list

Usage:
  runreveal transforms list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

workspaces

Manage RunReveal workspaces, user access, and workspace switching. Control team access, invite users, manage roles, and switch between different organizational contexts.

Usage:
  runreveal workspaces [command]
 
Available Commands:
  current     Show active workspace
  invite-user 
  list        
  list-users  
  remove-user 
  use         Switch to a different workspace
 
Flags:
  -h, --help   help for workspaces
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

workspaces current

Show active workspace
 
Usage:
  runreveal workspaces current [flags]
 
Flags:
  -h, --help   help for current
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

workspaces invite-user

Usage:
  runreveal workspaces invite-user [flags]
 
Flags:
      --email string   (required)
  -h, --help           help for invite-user
      --role string    (required)
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

workspaces list

Usage:
  runreveal workspaces list [flags]
 
Flags:
  -h, --help   help for list
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

workspaces list-users

Usage:
  runreveal workspaces list-users [flags]
 
Flags:
  -h, --help   help for list-users
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

workspaces remove-user

Usage:
  runreveal workspaces remove-user [flags]
 
Flags:
      --email string   (required)
  -h, --help           help for remove-user
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

workspaces use

Switch to a different workspace
 
Usage:
  runreveal workspaces use [flags]
 
Flags:
  -h, --help        help for use
      --id string   The workspace id that you'd like to make active.
 
Global Flags:
      --header-file string   File containing headers to be used by the http client

Previous

RunReveal Audit Logs

Next

Managing Users

On this page

Using the CLIInstall the CLILogin to RunRevealEnvironment VariablesRUNREVEAL_TOKENRUNREVEAL_WORKSPACERUNREVEAL_PROFILERUNREVEAL_BASEURLRUNREVEAL_APPBASEURLRUNREVEAL_DEBUGRUNREVEAL_HEADER_FILEMigrating to Multi-Profile CredentialsRunReveal CLI Commandsagentsagents createagents deleteagents getagents listagents silenceagents updatealertsalerts send-notificationalerts triageautomationsautomations createautomations updatecustom-viewscustom-views createcustom-views deletecustom-views getcustom-views listcustom-views testcustom-views updateinvestigationsinvestigations alert-statusinvestigations bulk-closeinvestigations by-alertinvestigations by-detectioninvestigations createinvestigations deleteinvestigations getinvestigations listinvestigations updateopenaiopenai config-updatethreatintelthreatintel infothreatintel update-crowdstrikethreatintel update-virustotaltokenstokens createaimodelsaimodels infoaimodels update-anthropicaimodels update-bedrockaimodels update-googleaiaimodels update-openaiaimodels update-provider-configcompletioncompletion bashcompletion fishcompletion powershellcompletion zshconfigconfig accountconfig showconfig subscribedetectionsdetections create-wizarddetections exportdetections listdetections rundetections set-enableddetections syncdetections testenrichmentsenrichments createenrichments deleteenrichments getenrichments listenrichments set-enabledenrichments updatefiltersfilters listinitlintlint sigmalint sqllogsmanaged-detectionsmanaged-detections clonemanaged-detections getmanaged-detections get-subscriptionmanaged-detections listmanaged-detections list-subscriptionsmanaged-detections subscribemanaged-detections subscription-set-enabledmanaged-detections unsubscribemanaged-detections update-subscriptionmanaged-enrichmentsmanaged-enrichments getmanaged-enrichments listmanaged-enrichments list-subscriptionsmanaged-enrichments subscribemanaged-enrichments unsubscribemcpnotification-historynotification-history listnotification-history list-by-alertnotificationsnotifications delnotifications emailnotifications listnotifications slacknotifications testnotifications webhookopenapipipelinespipelines listqueryquery runquery schedulesourcessources listtopicstopics listtransformstransforms listworkspacesworkspaces currentworkspaces invite-userworkspaces listworkspaces list-usersworkspaces remove-userworkspaces use