Telemetry
Workshop provides powerful telemetry capabilities for analyzing Santa security events. The telemetry system integrates with Santa's telemetry collection to store and enable querying of detailed endpoint activity data in cloud storage buckets.
Telemetry is not enabled by default in Workshop. To enable telemetry collection and cloud storage integration, please contact North Pole Security support for configuration assistance.
Querying Telemetry
Table Naming Convention
Workshop uses dynamic table names:
Table Format | Description | Example |
---|---|---|
<event>_YYYY | All events of type for year | execution_2025 |
<event>_YYYYMM | Events for specific month | execution_202501 |
<event>_YYYYMMDD | Events for specific day | execution_20250125 |
<event>_YYYY_<hostid> | Host-specific events | execution_2025_a1b2c3d4 |
<event>_YYYYMMDD_<hostid> | Host & date specific | execution_20250125_a1b2c3d4 |
Event Types: execution
, fork
, close
, file_access
, etc. For complete details on event types and their data, see Santa's telemetry documentation.
When using host UUIDs with dashes in table names, replace dashes with underscores (e.g., a1b2c3d4-e5f6-g7h8
becomes a1b2c3d4_e5f6_g7h8
) to avoid SQL syntax errors.
Data Structure
Each telemetry row contains rich information about the event. For details on available event types and their specific fields, see Santa's telemetry documentation and the SantaMessage schema.
SQL Examples
-- Count total execution events this year
SELECT COUNT(*) FROM execution_2025;
-- Recent execution events for a specific host
SELECT *
FROM execution_20250125_a1b2c3d4_e5f6_g7h8
LIMIT 10;
-- Execution events for a specific binary
SELECT *
FROM execution_20250125
WHERE Target.Executable.Hash.Hash = 'sha256-hash-here'
LIMIT 10;
-- Find processes with dangerous entitlements
SELECT EventTime, Hostname, Instigator.Executable.Path
FROM execution_20250125
WHERE list_contains(
list_transform(EntitlementInfo.Entitlements, x -> x.Key),
'com.apple.security.cs.allow-jit'
)
LIMIT 10;
-- Processes with specific environment variables
SELECT *
FROM execution_20250125
WHERE list_contains(
list_transform(Envs, x -> starts_with(x, 'HOMEBREW_PREFIX=')),
true
)
LIMIT 10;