Data Lake

OCSF

Integration

Release

Node

Structured Security Analytics: Tenzir Pipelines + ClickHouse Power

Mar 19, 2025

Mar 19, 2025

In the past, building a scalable security data lake on top of ClickHouse was a daunting task. Raw security telemetry is messy, inconsistent, and ill-suited for direct ingestion into analytical databases. With our new ClickHouse integration, Tenzir removes this friction entirely—normalizing, enriching, and transforming security data streams on the fly, so you can land clean, structured telemetry directly into ClickHouse tables. This unlocks the full power of ClickHouse for security analytics, without the usual pain of managing schemas or wrangling formats.

The Challenge: Raw Security Telemetry ≠ Analytics-Ready Data

Security data rarely arrives clean. Logs and events from firewalls, EDRs, proxies, cloud platforms, and SaaS providers each have their own formats and schemas. Dumping this raw, heterogeneous data straight into an analytical database like ClickHouse leads to schema sprawl, bloated tables, and unmanageable queries.

That is where Tenzir shines.

The Solution: Tenzir + OCSF Normalization → ClickHouse Powerhouse

Tenzir’s pipeline engine excels at transforming messy telemetry streams into structured, standardized formats—specifically, the Open Cybersecurity Schema Framework (OCSF). OCSF provides a vendor-neutral, extensible schema designed for security use cases, bringing consistency to your data.

With our new to_clickhouse operator, you can now send this clean, normalized data straight into ClickHouse, unlocking fast, scalable analytics without the usual data wrangling headaches.

Here is how easy it is:

from { i: 42, d: 10.0, b: true, l: [42], r:{ s:"string" } }
to_clickhouse table="example", primary=i

Of course, in real-world pipelines, a lot more data transformation would happen between from and to_clickhouse. This example just illustrates how it easy it is to send data to ClickHouse.

Why This Matters for Security Teams

  • Analytics-Ready by Default: By enforcing OCSF normalization before storage, your ClickHouse tables are always consistent and queryable out-of-the-box.

  • Columnar Efficiency at Scale: The integration uses ClickHouse’s native C++ client to insert columnar data in blocks—maximizing throughput and minimizing overhead.

  • Platform Consolidation: Already using ClickHouse for observability or business analytics? Now you can bring your security data into the same performant stack—without compromising structure.

Technical Highlights

  • Comprehensive Type Support: Tenzir supports all of ClickHouse’s compatible data types, including nested structures and lists.

  • Flexible Table Management: You can create new tables dynamically or append to existing ones.

  • TLS Secured by Default: All connections, including to ClickHouse, are secured by default with TLS, ensuring safe data transfer.

Strategic Outcomes: Open Security Analytics

This integration reflects a broader shift toward open, composable security architectures. With Tenzir handling normalization and enrichment, and ClickHouse providing cost-efficient, high-performance analytics, teams can unify their telemetry pipelines without being locked into proprietary ecosystems.

By delivering OCSF-normalized, enriched telemetry directly to ClickHouse, Tenzir empowers you to:

  • Accelerate detection engineering and threat hunting.

  • Simplify compliance and reporting through structured schemas.

  • Eliminate schema drift and data munging in your analytical queries.

Ready to Simplify Your Security Analytics?

Get started with Tenzir today and build efficient, structured, and scalable security data pipelines backed by ClickHouse.