Skip to content

Rules

Types of Rules Supported

Falkonry Rules support both simple rules such as Raw Threshold, Insights, and Patterns rules, and compound (aka nested or chained) rules, which combine multiple conditions using logical operators. This enables flexible and powerful event detection across diverse signal behaviors.

Single Signal Rule

A Single Signal Rule in Falkonry TSI monitors just one input signal and triggers an alert when it meets defined conditions, such as crossing a threshold or showing anomalous behavior.

Multiple Signal Rule

In Falkonry TSI, a Multiple Signal Rule evaluates several signals simultaneously to trigger an alert. Unlike simple rules that monitor a single signal, this rule checks whether any, all, or specific combinations of signals meet defined criteria. It’s well-suited for detecting system-level issues or component interactions and supports persistence settings to manage alert frequency effectively.

Compound Rule

A Compound Rule also known as a nested rule (or Rule Chaining) is an advanced rule type in Falkonry TSI that combines the outputs of existing rules to form more sophisticated logic.

Key Aspects of Compound Rules:

Function: Used to create complex, higher-level conditions or define conditional alerts, enabling advanced event detection through logical relationships.

Mechanism: A compound rule takes as input the output signals generated by other rules. Each existing rule produces a signal (typically with the suffix /rule) that carries a categorical True/False/gap value, which can then be referenced in the compound logic. A gap is detected when there isn't enough data in the input signals for the given window size.

Logic: Supports logical operators such as AND, OR, and NOT to define composite conditions.

Benefits: Simplifies complex logic by breaking it into smaller, reusable rules; improves maintainability; and reduces redundancy.

Example: You might define a compound rule to trigger an alert for “High Temperature” only when the equipment is in the “Production” state. In this case, the “Production” state comes from a separate rule, and the compound rule combines both conditions to produce a more context-aware alert.

Use cases

  1. Track the status of a critical signal
  2. Create a record of a process or system status which can be used for analytics and tracking. For example, if a signal indicates when a system is active, a rule can be used to track system uptime. Or, if a signal indicates when a process completes, a rule can be used to count production cycles.
  3. Combining with other rules to create compound rules. For example, if a rule should only be active when a system is active a single signal rule can be used as an on/off switch for another rule. Learn more about combining rules here.
  4. Falkonry Insights automatically learns the normal behavior of your signals, and indicates when they are behaving in unexpected ways. Falkonry Insights outputs share a common scale, which means one rule can be made with many Insight signals, for example, a rule can use all of the signals associated with a single asset or process, to automatically monitor and track when the asset's behavior reaches a given level of anomalousness.

Refer to Rules & Alerts Best practices.