Utilize the full power of Clickhouse to inspect and alert on your data. Wirespeed utilizes OCSF to ingest events. We support the full OCSF schema, but are only utilizing a subset of fields at the moment. If you do not see a table or field below that you need, please contact support.

Familiarize yourself with the OCSF schema before writing queries.

Quick Start

To run an advanced query, navigate to the Events page and select the icon in the top right.

Schema

The events table is the largest and most verbose table in our SIEM. Large or unbounded queries to this table will likely timeout or hit resource limits. It is suggested to always include a time filter when querying this or any other table.

We stringify a majority of the JSON fields in the OCSF schema to optimize for storage and query performance. You will see this with fields like src_endpoint. To query these fields you will want to use utility fields from Clickhouse like JSONExtractString(src_endpoint, 'ip') to extract their unique fields. Utilize the OCSF schema docs for understanding what fields are available on those objects.

Tables

  • events - All OCSF events
  • authentication_events - All events with a class name of “Authentication”

The tables above are filtered to only include the declared events, when running a query for authentication events you will consume your limits much slower by querying the authentication_events table, since it will not require filtering all of your global events. All columns present in the events table are present in the respective class event tables as well.

Null values

Storing null values in Clickhouse can be considered an anti-pattern. Instead, identifiable default values are used. For strings this would be the empty string "". For Int64 columns this would be -12341234.

Timestamps

All timestamps are stored and presented in UTC.

Resource limits

  • 2000 rows per query (100 for custom detections)
  • 4GB of memory per query
  • 60s of execution time per query