Events
The Source of Operational Evidence
An event represents a recorded observation of something that has occurred within the environment. Events may be generated or collected directly by the First Watch® platform as part of its monitoring, analysis, and control functions.
Events may originate from:
- Platform-generated events — detected configuration changes, policy evaluations, or behavioural deviations
- Endpoints — application execution, configuration changes, or system activity
- Network monitoring and PLC Guard™ — observed communication behaviour
- Customised agents — file integrity monitoring or recipe verification
- User actions and system activities — access and administrative operations
Operationally, events provide time-stamped, evidence-based records that form the foundation for alarms, investigations, reporting, and audits.
Event Categories
The First Watch® platform organises events into logical categories to support efficient monitoring, investigation, and response. Each category represents a specific operational or security domain.
Agent & Sensor Status
Health, connectivity, compatibility, and configuration state of First Watch agents and modules. Loss of visibility or degraded monitoring capability must be detected immediately to maintain trust in observations and protection.
Asset & Inventory Lifecycle
Discovery, verification, modification, and removal of assets (devices, systems, software identities). Untracked or unexpected assets introduce blind spots and unmanaged risk into industrial environments.
Endpoint System Configuration
Changes to endpoint host configuration such as OS properties, patches, memory, disks, antivirus, and RDP settings. Configuration drift can weaken system resilience or indicate unauthorised or unsafe changes.
Endpoint Processes & Execution
Process creation, execution, termination, blocking, and killing on endpoints. Process execution is the primary vector for malware, misuse of tools, and unauthorised engineering activity.
Endpoint File System & Integrity
File creation, modification, deletion, access, blocking, and whitelisting, including executable handling. Critical files such as engineering projects, recipes, scripts, and executables must be protected from unauthorised modification.
Endpoint Registry
Registry creation, modification, and deletion events. Registry changes are commonly used for persistence, configuration manipulation, and privilege abuse.
External Devices (USB)
Connection, removal, blocking, and unsafe handling of removable and wireless peripherals. External devices remain one of the highest-risk infection and data exfiltration vectors in OT environments.
Network Connectivity & Location
Changes in network connection state, interface status, internet access, and network location awareness. Unexpected connectivity changes may indicate misconfiguration, unsafe access paths, or external exposure.
Network Shares
Access to network shares, including user identity and remote endpoints. Network shares are frequently abused for lateral movement, ransomware staging, and data manipulation.
Network Flows & Traffic Telemetry
Session-level network flow information and traffic statistics between assets. Understanding who communicates with whom, how often, and how much is foundational for detecting abnormal behaviour.
Network Security Controls & Policy Enforcement
Firewall-style decisions, policy evaluations, and enforcement outcomes at the network level. These events show when communication is allowed, restricted, blocked, or audited under defined policies.
Network Anomalies & Protocol Hygiene
Malformed packets, unknown protocols, failed connections, and suspicious network behaviour. Such anomalies often indicate scanning, probing, misbehaving devices, or early-stage attacks.
PLC & Industrial Protocol Operations
Industrial protocol activity and PLC lifecycle actions such as programming, firmware updates, start/stop, and tag access. These events directly affect physical processes and must be tightly monitored and authorised.
Windows Logs & OS Events
Structured and generic Windows event log entries collected from endpoints. Windows logs provide low-level evidence for authentication, system behaviour, and security-relevant actions.
Remote Access (RDP)
Remote desktop logon, logoff, and session details. Remote access introduces elevated risk and must be visible, attributable, and governed.
Security Centre & Platform Security Signals
Security-related alerts and health signals generated by security services within the platform. These events indicate internal security posture and platform-level issues requiring attention.
Policy & Governance Changes
Creation, update, removal, and failure of policies, templates, principals, resources, and schedules. Governance changes directly affect what is allowed, detected, or blocked and must be fully auditable.
Alarms & Notifications Management
Alarm lifecycle events and notification configuration changes. Ensures accountability for how alerts are generated, handled, and communicated.
Licensing & Entitlement
License installation, verification, compliance, and expiry events. Licensing events affect platform functionality and operational continuity.
Custom, Policy-Derived & Log-Scanner Events
Events generated by custom policies, log scanners, or tailored detection logic. Enables site-specific monitoring and active protection without modifying core platform logic.
Summary
Together, these event categories provide:
- Comprehensive visibility across IT, OT, and cyber-physical layers
- Clear separation of concerns for operators, engineers, and security teams
- Evidence-based foundations for alarms, playbooks, investigations, and audits
- Flexible extension points for customised monitoring and active protection
This structured approach ensures that events remain actionable, interpretable, and operationally relevant — rather than overwhelming or ambiguous.