Skip to content

Rules

Types of Rules Supported

Falkonry Rules support both simple rules such as Raw Threshold, Insights, and Patterns rules, and compound (aka nested or chained) rules, which combine multiple conditions using logical operators. This enables flexible and powerful event detection across diverse signal behaviors.

Single Signal Rule

A Single Signal Rule in Falkonry TSI monitors just one input signal and triggers an alert when it meets defined conditions, such as crossing a threshold or showing anomalous behavior.

Multiple Signal Rule

In Falkonry TSI, a Multiple Signal Rule evaluates several signals simultaneously to trigger an alert. Unlike simple rules that monitor a single signal, this rule checks whether any, all, or specific combinations of signals meet defined criteria. It’s well-suited for detecting system-level issues or component interactions and supports persistence settings to manage alert frequency effectively.

Use cases

  1. Track the status of a critical signal
  2. Create a record of a process or system status which can be used for analytics and tracking. For example, if a signal indicates when a system is active, a rule can be used to track system uptime. Or, if a signal indicates when a process completes, a rule can be used to count production cycles.
  3. Combining with other rules to create complex rules. For example, if a rule should only be active when a system is active a single signal rule can be used as an on/off switch for another rule. Learn more about combining rules here.
  4. Falkonry Insights automatically learns the normal behavior of your signals, and indicates when they are behaving in unexpected ways. Falkonry Insights outputs share a common scale, which means one rule can be made with many Insight signals, for example, a rule can use all of the signals associated with a single asset or process, to automatically monitor and track when the asset's behavior reaches a given level of anomalousness.

Refer to Rules & Alerts Best practices.