Skip to content

Common Rules

Single Signal Rule

Description

A Single signal rule has only one input signal.

Use cases

  1. Track the status of a critical signal.
  2. Create a record of a process or system status which can be used for analytics and tracking. For example, if a signal indicates when a system is active, a rule can be used to track system uptime. Or, if a signal indicates when a process completes, a rule can be used to count production cycles.
  3. Combining with other rules to create complex rules. For example, if a rule should only be active when a system is active a single signal rule can be used as an on/off switch for another rule. Learn more about combining rules here.

Insights Rule

Description

A rule created with the outputs of Falkonry Insights automated Anomaly Detection.

Use cases Falkonry Insights automatically learns the normal behavior of your signals, and indicates when they are behaving in unexpected ways. Falkonry Insights outputs share a common scale, which means one rule can be made with many Insight signals, for example, a rule can use all of the signals associated with a single asset or process, to automatically monitor and track when the asset's behavior reaches a given level of anomalousness.

How to configure
  1. Create a new rule.
  2. In the signal selection process, select Insights.
  3. Select all the signals associated with the relevant asset or process.

4. Configure your rule. Depending on the criticality of the asset, the sensitivity of the process, and the bandwidth available for triaging issues, you may make the rule more or less sensitive. The following factors can be tuned to control the sensitivity of a rule. Rule Statistic: The mean rule statistic will be less sensitive than the Max rule statistic Rule Value: a higher rule value will result in a less sensitive rule. Insights signals are on a standard deviation scale, so a value of 3 is generally considered noteworthy. Density: a higher density setting means that more of the evaluation must meet the rule Value to generate a True assessment. Generally a higher density setting will make a rule less sensitive. Coverage: a higher coverage setting means more of the signals must meet the rule value to generate a True assessment. Generally a higher coverage setting will make a rule less sensitive.

Best Practices
  1. We recommend using the Mean Rule Statistic to reduce the sensitivity of the rule to transitory spikes.
  2. When configuring an Insights Rule, we recommend reviewing the Insights Dashboard for the asset to identify any signals whose behavior has not been fully learned by Insights. Typically these signals will see significant periods of anomalous behavior. We recommend excluding these signals from the Rule until Insights has enough data to fully learn the signal behavior.
  3. Once you have configured a rule, we recommend monitoring how often the rule is generating True assessments for several days and revising the settings to ensure the rule is generating True assessments and alerts at a rate that matches the criticality of the asset.