Capabilities / Detection
Incident Detection
Classification Logic
| Severity Class | Trigger Condition | Response Time |
|---|---|---|
| CRITICAL | Anomaly score ≥ 0.90 · Manual override · Sensor total loss | <5s from detection to alert dispatch |
| HIGH | Anomaly score 0.70–0.89 · Threshold breach on primary parameters | <30s from detection to alert dispatch |
| MEDIUM | Anomaly score 0.50–0.69 · Secondary parameter deviation | <120s · Batched with periodic reports |
| LOW | Anomaly score 0.25–0.49 · Informational flags | Next scheduled report cycle |
Alert Routing
| Route Target | Protocol | Applicable Classes |
|---|---|---|
| Primary operator endpoint | Webhook POST · MQTT | CRITICAL · HIGH |
| Secondary operator endpoint | Webhook POST | CRITICAL only (escalation) |
| Scheduled report | SFTP push · REST | MEDIUM · LOW |
| SIEM integration | Syslog · CEF format | All classes |
Threshold Configuration
| Parameter | Default | Configurable Range |
|---|---|---|
| CRITICAL threshold | 0.90 | 0.80 – 1.00 |
| HIGH threshold | 0.70 | 0.60 – 0.89 |
| MEDIUM threshold | 0.50 | 0.30 – 0.69 |
| Suppression window | 5 minutes | 1 – 60 minutes (per asset) |
| Escalation delay | 15 minutes unacknowledged | 5 – 120 minutes |
API Output Schema
| Field | Type | Description |
|---|---|---|
| event_id | string (UUID) | Unique event identifier |
| timestamp_utc | ISO 8601 | Detection timestamp (UTC) |
| severity | enum | CRITICAL · HIGH · MEDIUM · LOW |
| asset_id | string | Source asset identifier |
| anomaly_score | float | Normalised score 0.0–1.0 |
| classification | string | Event type from classification tree |
| edge_node_id | string | Originating edge node identifier |