Edge and security analytics (WAF)

Use RawTree for security analytics when edge logs, web application firewall (WAF) events, audit records, or cloud activity need to be searchable immediately and kept in their original shape. Land the raw events first, then use SQL to investigate traffic, rules, actors, paths, and time windows.

This works well for security and infrastructure teams that need fast exploratory queries without deciding every detection, dashboard, or schema before data starts flowing.

Where it fits

Security streams often arrive with rich, vendor-specific fields. RawTree is useful when you want to keep those details queryable:

• WAF decisions, terminating rules, matched rule groups, and blocked requests.
• CDN and edge logs for status codes, countries, paths, cache behavior, and latency.
• Audit logs for account, API, key, and permission changes.
• Cloud activity logs that need to be filtered by actor, resource, or region.

Use separate RawTree tables for distinct signal families, then query across the same time window when you need a fuller picture.

Questions to ask

Start with concrete investigations:

• Which IPs, countries, or user agents are producing blocked traffic?
• Which WAF rules are terminating requests, and did that change after a release?
• Are 4xx or 5xx spikes concentrated on specific paths or edge locations?
• Which audit events happened before a suspicious request pattern started?

RawTree keeps the original event available through __raw_data, so you can inspect fields that were not part of the first query.

Start with

1. Send one high-value stream, such as WAF or CDN logs, to a dedicated table.
2. Query counts by action, status code, rule, IP, country, or path.
3. Add related streams, such as audit or application events, when correlation is useful.
4. Promote recurring SQL into dashboards, scripts, or agent workflows.

Examples

• CloudFront and WAF Security

Related guides

• Ingest data
• Query data