---
title: "Telemetry & EDR | Workshop"
description: "Workshop streams every execution and file access from every Mac in your fleet. Query in-app, ship to your SIEM, or keep it in your own cloud storage."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/features/telemetry"
---
![](https://northpole.security/images/workshop/figma/hero-bg.png)

# Every execution, every file access, every block

Workshop streams a full record of what's happening on every Mac in your fleet. Query it in the UI, ship it to your SIEM, or keep it forever in your own cloud storage.

[Book a demo](https://northpole.typeform.com/to/SG9jCi0v) [View documentation](https://northpole.security/docs/workshop)

 ![Workshop telemetry query console](https://northpole.security/_astro/hero.BzLtM9QQ_Z1SISY7.png)

![](https://northpole.security/images/workshop/figma/snow-corner-tr.png) ![](https://northpole.security/images/workshop/figma/snow-floor.png)

Prevention vs detection

## Prevention first, with full visibility

Workshop's philosophy is to stop threats before they run. That only works if you can see what's running, what's blocked, and what your policy is about to let through. Santa emits a rich event for every execution and file access attempt, and Workshop collects, routes, and queries those events so your SOC has the same evidence a traditional EDR would surface, without waiting for damage to happen first.

### Traditional EDR

The binary runs. The agent logs what it did. An analyst reviews the trail and decides whether to respond. Visibility is complete but always after the fact.

-   Malware runs at least once before detection
-   Remediation is a race against lateral movement
-   Telemetry volume explodes because every process runs

### Workshop

Santa blocks unknown binaries at execution. Every allowed, blocked, and unknown attempt is still streamed to Workshop. Prevention does not cost visibility.

-   No execution, no damage
-   Full audit trail for every attempt, blocked or not
-   Telemetry stays focused on signal, not noise

Coverage

## What gets collected

Santa records what happens at the Endpoint Security layer, and Workshop normalizes it into an event stream you can query with SQL.

### Execution events

Every binary execution attempt, including the ones Santa blocks before the process ever spawns. SHA-256, CDHash, bundle hash, signing identity, Team ID, certificate chain, Risk Engine verdicts, PID, PPID, executing user, and arguments.

### File access events

When File Access Authorization is configured, every read, write, and denied attempt is logged alongside executions. Target path, access type, decision, accessing process identity and signing info, and the rule that matched.

### Process context

Enough detail to reconstruct what was happening on the host without guessing. Process hierarchy (PID, PPID), user context, host identifier, wall-clock and monotonic timestamps, and command-line arguments.

Destinations

## Where the data goes

Workshop runs its own query engine on top of event data, and also ships the data wherever your security team already works. You pick the destination, Workshop handles the pipeline.

### Your cloud storage

Events are streamed to your own S3 or GCS bucket as Parquet. You own the bucket, you own the retention, and you pay your own storage costs. Files organized by event type and date, keyed to your IAM.

### Workshop's query console

A SQL console built directly into Workshop. No ETL step, no separate warehouse. Ask questions about the last hour or the last year from the same UI, with pre-built queries for common hunts.

### Your SIEM

Events in your own bucket are already compatible with Splunk, Elastic, Chronicle, Panther, and every other SIEM that can read object storage. Standard Parquet, no custom connector, full field fidelity preserved.

SQL console

## Query the stream directly

Workshop ships a built-in SQL console so you can hunt without leaving the UI. Pre-built queries cover the common patterns, and the full schema is open for anything bespoke.

```
SELECT host, count(*) AS blocks
FROM execution_events_202605
WHERE decision = 'BLOCK'
  AND ts >= now() - interval '7 days'
GROUP BY host
ORDER BY blocks DESC
LIMIT 10;
```

Collection controls

## Control what you collect

Telemetry collection is a per-tag setting in Workshop, so contractor laptops can behave differently from production build hosts. The most specific tag wins, and the tag's settings push out immediately.

### Per-tag collection

Telemetry collection is one of Workshop's atomic per-tag settings. Leave it off for sensitive populations, turn it on everywhere else, or set different collection levels for different host groups.

### Choose which events to record

Santa records many Endpoint Security event types. Configure the telemetry list per host group to record only the ones you want: executions, forks, closes, file access, removable media, network mounts, and more. Unwanted event types never leave the endpoint.

Alerting

## Alert on what matters

Alerts live next to the telemetry that triggered them. Pick a condition, pick a destination, and Workshop pages the right channel when it fires.

### Condition-based alerts

Fire on blocked executions, Risk Engine denials, file-access violations, or any SQL predicate you can express against the event stream. Threshold and anomaly modes, scoped per tag, per host, or fleet-wide, with cooldown windows to avoid flapping.

### Routed to your channels

Alerts land in Slack, email, PagerDuty, or a webhook of your choice. Multiple destinations per rule, so SOC and on-call get the version they need.

### Tied to audit

Every alert is linked back to the event that triggered it and the rule that fired. Post-incident review is one click, not a grep through three tools.

## Telemetry is part of Workshop

Pair it with Santa's enforcement, approval workflows, and AI Chat to cover the full software lifecycle.

[Book a demo](https://northpole.typeform.com/to/SG9jCi0v)

[

### AI Chat

Investigate the event stream in plain English.

](https://northpole.security/features/ai-chat)[

### Approval workflows

Resolve blocked executions in minutes, not days.

](https://northpole.security/features/approval-workflows)[

### Santa

The open source agent that emits every event.

](https://northpole.security/santa)

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)