Alarms & Notifications
Alarms — Prioritised Operational Signals
Alarms represent prioritised operational signals derived from events that indicate elevated operational, safety, or security relevance.
While events provide raw visibility into system activity, alarms apply contextual logic to determine when attention is required. Not every event results in an alarm. Alarms are generated only when defined conditions indicate that the situation may require review, investigation, or response.
From Events to Alarms
An alarm is generated when one or more events meet defined conditions established in alarm policies. Alarm triggering logic may consider:
- Event type and severity
- Asset criticality
- Maintenance windows or approved change periods
- Repeated or correlated behaviours
- Policy violations or enforcement actions
- Operational context within the enterprise map
This ensures alarms reflect operational significance, not technical noise.
Alarm Configuration and Flexibility
Alarms are fully configurable and provide extensive flexibility to align with organisational structure, risk tolerance, and operational processes.
When an alarm is raised
Trigger conditions may be based on:
- Single high-impact events
- Correlated event sequences
- Repeated patterns within defined timeframes
- Changes outside approved maintenance windows
- Violations of monitoring or protection policies
What information the alarm contains
Alarm content may include:
- Affected assets and related systems
- Initiating user or system identity
- Associated policy references
- Recent related events
- Operational zone or site context
This ensures that alarms provide meaningful context rather than isolated technical messages.
Who receives the alarm
Notifications can be directed based on:
- Asset ownership
- Role or responsibility
- Severity level
- Time-of-day or operational schedules
Alarms may be delivered through platform dashboards and configured notification channels, ensuring that relevant personnel are informed in a timely and controlled manner.
Severity, Context, and Intent
Alarms are typically characterised by:
- Severity — reflecting potential operational or security relevance
- Context — linking the alarm to assets, users, and recent activity
- Intent classification — distinguishing informational conditions from those requiring response
- Statefulness — allowing alarms to persist, escalate, or clear based on ongoing conditions
Stateful alarms provide a realistic representation of operational situations rather than reacting to isolated events.
Alarm Grouping and Noise Reduction
To prevent alarm fatigue, alarms can be:
- Grouped by asset, category, or operational zone
- Aggregated when multiple related events occur
- Suppressed or adjusted during approved maintenance windows
This ensures that alarms remain actionable operational signals, rather than overwhelming notification streams.
Alarm Lifecycle Management
Alarms follow a defined lifecycle to ensure accountability and traceability:
- Creation — when triggering conditions are met
- Acknowledgement — by responsible personnel
- Investigation — using correlated events and asset context
- Resolution — with documented outcome
- Closure or Dismissal — depending on findings
This structured lifecycle ensures alarms are not ignored, forgotten, or resolved informally without evidence.
Guided Response Through Playbooks
Alarms may be associated with structured playbooks that support consistent response. Playbooks provide:
- Initial verification steps
- Recommended investigation actions
- Escalation paths
- Conditions under which monitoring should continue or enforcement should be considered
Playbooks guide human decision-making. They do not automate operational judgement.
Monitoring and Active Protection Context
Alarms operate in both monitoring and enforcement contexts.
In monitoring mode, alarms highlight deviations for review and validation.
In active protection mode, alarms may accompany enforcement actions, such as blocked execution or restricted communication.
In both cases, alarms provide the operational signal that enables informed human response.
Example Scenario
A custom agent detects a change in a production-critical recipe file. The change occurs outside an approved maintenance window, on a system with restricted modification rights.
The event is escalated to an alarm due to its operational relevance. The alarm:
- Identifies the affected asset
- Attributes the initiating user
- Links related file and process events
- References the relevant policy
Operational personnel acknowledge the alarm, validate intent, and document the outcome.
Alarms transform raw system activity into prioritised, contextualised operational signals. Through configurability, statefulness, grouping, and guided response, the platform ensures that attention is directed where it matters — supporting operational awareness, governance, and controlled protection without creating unnecessary noise.
Notifications and Awareness
Notifications extend the visibility provided by alarms and events by ensuring that relevant operational personnel are informed in a timely and controlled manner.
While alarms represent prioritised operational conditions within the platform, notifications provide the awareness mechanism that connects those conditions to responsible individuals or teams.
Purpose of Notifications
Notifications are designed to:
- Ensure timely awareness of significant operational or security conditions
- Support coordinated response across engineering, operations, and management
- Reinforce accountability through documented communication
- Reduce reliance on manual dashboard monitoring alone
Notifications complement, but do not replace, alarm lifecycle management and investigation processes.
Notification Triggers
Notifications may be generated based on:
- Alarm creation
- Alarm escalation or severity changes
- Enforcement actions (e.g., blocked execution or restricted communication)
- Health or system status conditions
- Policy violations or critical configuration changes
Notification behaviour is governed by configurable policies aligned with organisational requirements.
Targeted Delivery
Notifications are configurable and may be directed to:
- Individual users
- Role-based groups
- Asset owners
- Operational teams by site or zone
Routing logic may consider severity level, asset criticality, time-of-day or operational schedule, and maintenance windows. This ensures that notifications are delivered to the appropriate recipients without overwhelming unrelated personnel.
Notification Channels
Notifications may be delivered through approved communication mechanisms, such as:
- Platform dashboards
- Email messages
- SMS or text notifications
- Integrated external systems
The selection of channels should reflect operational criticality and organisational communication standards.
Escalation and Awareness Levels
Notifications can support structured escalation paths. For example:
- Initial notification to asset owner
- Escalation to engineering supervisor if unacknowledged
- Further escalation for critical unresolved alarms
Escalation logic ensures that high-priority conditions receive appropriate attention.
Avoiding Notification Fatigue
Effective awareness requires balance. To prevent fatigue:
- Notifications are typically tied to prioritised alarms rather than raw events
- Low-value or informational conditions may remain dashboard-visible only
- Maintenance windows and approved activities may suppress non-critical notifications
This ensures that notifications remain meaningful and actionable.
Operational and Governance Considerations
Notification policies should:
- Align with organisational responsibility structures
- Be reviewed periodically
- Reflect risk acceptance and operational maturity
Over-notification can be as harmful as under-notification. Proper configuration ensures that awareness supports decision-making without creating unnecessary disruption.
Notifications ensure that prioritised operational conditions are communicated clearly and appropriately. By combining configurable triggers, targeted routing, and structured escalation, the platform supports timely awareness while maintaining operational focus and governance discipline.