Skip to content

Types of Rules Supported

Falkonry Rules support both simple rules such as Raw Threshold, Insights, and Patterns rules, and compound (aka nested or chained) rules, which combine multiple conditions using logical operators. This enables flexible and powerful event detection across diverse signal behaviors.

Single Signal Rule

A Single Signal Rule (SSR) in Falkonry TSI monitors just one input signal and triggers an alert when it meets defined conditions.

Multiple Signal Rule

A Multiple Signal Rule (MSR) evaluates several signals simultaneously to trigger an alert. Unlike SSR that monitor a single signal, this rule checks whether any, all, or specific combinations of signals meet the defined criteria. It’s well-suited for detecting system-level issues or component interactions and supports persistence settings to manage alert frequency effectively.

Compound Rule

A Compound Rule also known as a nested rule (or Rule Chaining) is an advanced rule type in Falkonry TSI that combines the outputs of existing rules to form more sophisticated logic.

Key Aspects of Compound Rules

Function: Used to create complex, higher-level conditions or define conditional alerts, enabling advanced event detection through logical relationships.

Mechanism: A compound rule takes as input the output signals generated by other rules. Each existing rule produces a signal (typically with the suffix /rule) that carries a categorical True/False/gap value, which can then be referenced in the compound logic. A gap is detected when there isn't enough data in the input signals for the given window size.

Logic: Supports logical operators such as AND, OR, and NOT to define composite conditions.

Benefits: Simplifies complex logic by breaking it into smaller, reusable rules; improves maintainability; and reduces redundancy.

Example: You might define a compound rule to trigger an alert for “High Temperature” only when the equipment is in the “Production” state. In this case, the “Production” state comes from a separate rule, and the compound rule combines both conditions to produce a more context-aware alert.