Release Notes: v2026.5.0

Upgrade note: Migrations run automatically on startup by default. Review the breaking changes and migration sections below before upgrading.

Highlights

• Tier 1 managed detections — Introduced tiered managed detection packs with an overhauled detection query library, pre-configured notification names, and AI auto-triage defaulting to on.
• Destination-based routing replaces archive flags — Pipelines now route events through explicit destination steps instead of the old archive flag system. New pipelines are seeded with a default destination step, giving you clearer visibility and control over where your data goes.
• Microsoft GCC-High and sovereign cloud support — Organizations in US government cloud environments can now connect Office 365 and other Microsoft sources by configuring custom API and OAuth endpoints.
• New Keycloak and Anthropic integrations — You can now ingest Keycloak audit logs (via webhook or object storage) and Anthropic Claude compliance activity logs as first-class sources.
• Managed detection packs with auto-triage — Tier 1 managed detections can now ship with pre-configured notification channels and AI-based auto-triage, reducing setup time when enabling detection packs.

Features

• GCC-High / sovereign cloud support — Office 365 API URLs and Microsoft OAuth endpoints are now configurable, enabling sources in GCC-High environments.
• Destination step in pipelines — Pipelines now use an explicit destination step (including a default ClickHouse destination) replacing the old archive flag and store step, with a dropdown to select destinations and warnings when no destination is configured.
• New default pipeline seeding — Newly created pipelines are automatically seeded with default pipeline steps including a destination step.
• Keycloak source — Added native Keycloak support for ingesting audit and admin event logs via webhook and object storage.
• Anthropic compliance logs source — Added a polling source for Anthropic Claude compliance activity logs.
• Tier 1 managed detections — Introduced tiered managed detection packs with an overhauled detection query library, pre-configured notification names, and AI auto-triage defaults.
• IOC lookup tool — Added an indicator-of-compromise lookup tool for enrichment and investigation workflows.
• Investigations improvements — Added cursor-based pagination for investigations, investigation status on linked alerts, and UX refinements to the investigations page.
• Destination errors page — Added a dedicated page to view and diagnose destination delivery errors.
• Agent permissions for roles — Roles now include agent-related permissions, and a workspace-level agent task killswitch is available in the admin panel.
• Object storage destination key prefix — S3, R2, and GCS destinations now support an optional key prefix for organizing stored objects.
• Source enable/disable — Source deletion has been renamed to “disable,” with a corresponding “enable” action to reactivate sources.
• Structured wire format — Events now use a structured wire format with normalized fields and a new sourceProvider field in the schema.
• Audit log improvements — Per-actor audit log links and GeoIP enrichment on audit events are now available.
• Increased max source TTL — Maximum source TTL raised from 550 to 3,652 days (10 years).
• Query time in URL — Query time ranges are now persisted in the URL for easier sharing and bookmarking.
• Sigma editor syntax highlighting — The detection Sigma editor now includes YAML syntax highlighting.
• CrowdStrike cloud configuration — CrowdStrike Falcon Intelligence cloud is now configurable per source.
• Salesforce expanded types — Added support for additional Salesforce event log types.
• Configurable airlock ports — Outgoing connection ports in airlock are now configurable.
• Config JSON schema generator — Added a tool to generate a JSON schema for config.json validation.

New Integrations

Bug Fixes

• Salesforce event log polling limits — Salesforce event log polling now chunks the initial poll and limits logs per poll, converting to hourly polls after the initial backfill.
• Stale query response handling — Stale and aborted query responses are now handled cleanly instead of surfacing errors.
• Custom views special characters — JSON paths with hyphens, @, and other special characters are now properly quoted in custom views.
• Object storage destination batching — Object storage destinations now batch writes instead of creating one file per event.
• CrowdStrike field normalization — EppDetectionSummaryEvent fields are now properly normalized, and event type documentation per source has been clarified.
• Cloudflare Gateway raw log preservation — The Cloudflare Gateway HTTP source now preserves original raw log bytes.
• Azure blob expiration parsing — Azure blob storage now tolerates _N suffixes on blob names when parsing expiration dates.
• Explorer IS NULL filters — Explorer filters now use IS EMPTY instead of IS NULL for correct results.
• Pipeline step unique constraint — The pipeline steps join unique constraint is now scoped to the pipeline rather than the workspace.
• Notifications pointer dereference — Fixed a crash in the notifications send endpoint caused by a nil pointer dereference.
• Detection error count — Detection error counts now display the raw error count instead of an incorrect value.
• Detection schedule sync — Clearing the schedule now works correctly when transitioning from SQL to Sigma detection mode.
• ClickHouse connection balancing — Reduced ConnMaxLifetime for improved shard load balancing across ClickHouse nodes.
• Jira secret field name — Jira secrets are now stored as apiauth to match the backend expectation.
• Chat auto-scroll — Auto-scroll in the chat interface no longer overrides the user’s manual scroll position.
• Alert filter routing — Fixed no-op router.replace calls and alert ID pill removal in alert filters.
• Collation in ORDER BY — Added COLLATE to ORDER BY clauses for consistent sort behavior.
• Notification filter — Fixed the filter on the notifications list page.
• Welcome email during bootstrap — Welcome email is now optional during organization bootstrap.
• BYODB custom views — Custom views fetch is now skipped for bring-your-own-database workspaces.
• SSE connection establishment — Server-sent events now respond immediately to establish the stream connection without delay.
• AI provision model provider — Fixed incorrect provider selection for Bedrock models in AI provisioning.
• Sortable icon on action columns — Removed the misleading sortable icon from all action columns in tables.
• Keycloak explorer view — Added the missing Keycloak table to the explorer views list.
• Google Workspace explorer view — Added Google Workspace logs as a table in the explorer.

Breaking Changes

• Archive flag and store step removed — The archiveOnly flag on S3 destinations, the FilterActionArchive filter, and the PipelineStepArchive / store step have been removed. Routing is now handled entirely by destination steps. If you had pipelines relying on archive-only S3 routing, you must add an explicit destination step pointing to your S3 destination after upgrading.

Maintenance

• Documentation improvements: deployment guide with visual diagrams, API pagination guides, onboarding revamp, and port allocation docs
• Renamed “Default ClickHouse” to “Default Destination” in UI labels
• Added async agent worker metrics and increased bucket range for agent task execution
• Added detection notes to agent context
• Added pipeline creation warning banner when saving without a detection or destination step
• Improved migration error handling and failure notification emails

Database Migrations

Full Changelog: https://github.com/runreveal/runreveal/compare/v2026.4.40…v2026.5.0