Skip to main content

Telemetry

Workshop provides powerful telemetry capabilities for analyzing Santa security events. The telemetry system integrates with Santa's telemetry collection to store and enable querying of detailed endpoint activity data in cloud storage buckets.

info

Telemetry is not enabled by default in Workshop. To enable telemetry collection and cloud storage integration, please contact North Pole Security support for configuration assistance.

Querying Telemetry

Table Naming Convention

Workshop uses dynamic table names:

Table FormatDescriptionExample
<event>_YYYYAll events of type for yearexecution_2025
<event>_YYYYMMEvents for specific monthexecution_202501
<event>_YYYYMMDDEvents for specific dayexecution_20250125
<event>_YYYY_<hostid>Host-specific eventsexecution_2025_a1b2c3d4
<event>_YYYYMMDD_<hostid>Host & date specificexecution_20250125_a1b2c3d4

Event Types: execution, fork, close, file_access, etc. For complete details on event types and their data, see the Schema page.

Host ID Format

When using host UUIDs with dashes in table names, replace dashes with underscores (e.g., a1b2c3d4-e5f6-g7h8 becomes a1b2c3d4_e5f6_g7h8) to avoid SQL syntax errors.

SQL Examples

-- Count total execution events this year
SELECT COUNT(*) FROM execution_2025;

-- Recent execution events for a specific host
SELECT *
FROM execution_20250125_a1b2c3d4_e5f6_g7h8
LIMIT 10;

-- Execution events for a specific binary
SELECT *
FROM execution_20250125
WHERE Target.Executable.Hash.Hash = 'sha256-hash-here'
LIMIT 10;

-- Find processes with dangerous entitlements
SELECT EventTime, Hostname, Instigator.Executable.Path
FROM execution_20250125
WHERE list_contains(
  list_transform(EntitlementInfo.Entitlements, x -> x.Key),
  'com.apple.security.cs.allow-jit'
)
LIMIT 10;

-- Processes with specific environment variables
SELECT *
FROM execution_20250125
WHERE list_contains(
  list_transform(Envs, x -> starts_with(x, 'HOMEBREW_PREFIX=')),
  true
)
LIMIT 10;

Additional Resources

For detailed information about all event types and their complete schemas, see the Schema page.

For more information about Santa's telemetry capabilities, visit Santa's telemetry documentation.