---
title: "Telemetry - Workshop Docs"
description: "Telemetry - Enterprise control plane for Santa. Manage rules, approvals, telemetry, and policies across your macOS fleet."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/docs/workshop/telemetry"
---
# Telemetry

Workshop provides powerful telemetry capabilities for analyzing Santa security events. The telemetry system integrates with [Santa’s telemetry collection](https://northpole.dev/features/telemetry/) to store and enable querying of detailed endpoint activity data in cloud storage buckets.

## Querying Telemetry

### Table Naming Convention

Workshop uses dynamic table names:

Table Format

Description

Example

`<event>_YYYY`

All events of type for year

`execution_2025`

`<event>_YYYYMM`

Events for specific month

`execution_202501`

`<event>_YYYYMMDD`

Events for specific day

`execution_20250125`

`<event>_YYYY_<hostid>`

Host-specific events

`execution_2025_a1b2c3d4`

`<event>_YYYYMMDD_<hostid>`

Host & date specific

`execution_20250125_a1b2c3d4`

**Event Types**: `execution`, `fork`, `close`, `file_access`, etc. For complete details on event types and their data, see the [Schema](https://northpole.security/docs/workshop/telemetry/schema) page.

:::warning Host ID Format

When using host UUIDs with dashes in table names, replace dashes with underscores (e.g., `a1b2c3d4-e5f6-g7h8` becomes `a1b2c3d4_e5f6_g7h8`) to avoid SQL syntax errors.

:::

### SQL Examples

```
-- Count total execution events this year
SELECT COUNT(*) FROM execution_2025;

-- Recent execution events for a specific host
SELECT *
FROM execution_20250125_a1b2c3d4_e5f6_g7h8
LIMIT 10;

-- Execution events for a specific binary
SELECT *
FROM execution_20250125
WHERE Target.Executable.Hash.Hash = 'sha256-hash-here'
LIMIT 10;

-- Find processes with dangerous entitlements
SELECT EventTime, Hostname, Instigator.Executable.Path
FROM execution_20250125
WHERE list_contains(
  list_transform(EntitlementInfo.Entitlements, x -> x.Key),
  'com.apple.security.cs.allow-jit'
)
LIMIT 10;

-- Processes with specific environment variables
SELECT *
FROM execution_20250125
WHERE list_contains(
  list_transform(Envs, x -> starts_with(x, 'HOMEBREW_PREFIX=')),
  true
)
LIMIT 10;
```

## Filtering Telemetry on the Client

Hosts can run CEL expressions to drop or redact events before they are uploaded to your bucket. This is useful for reducing volume, excluding noisy event types, or scrubbing sensitive values like tokens out of events. See [Filter Expressions](https://northpole.security/docs/workshop/telemetry/filter-expressions) for details.

## Additional Resources

For detailed information about all event types and their complete schemas, see the [Schema](https://northpole.security/docs/workshop/telemetry/schema) page.

For more information about Santa’s telemetry capabilities, visit [Santa’s telemetry documentation](https://northpole.dev/features/telemetry/).

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)