Role 4 / 5 · time horizon: weeks–months

Intelligence Analyst

"Find the pattern. Improve the rule. Build the next detector."

Persona

Tutkija Annika Vesterinen

Maritime Pattern Analysis Cell · PhD in signal processing · 6 years post-doctorate

Annika lives in notebooks. While the watch floor is firefighting today's alerts, she's three months in the past, asking "of the 412 AIS-dark windows we recorded this quarter, which ones look most like S6 stage A and which look like normal navigational silence?". Her output is not incidents — it's better detectors: tuned composite-score weights, a new ontology relation, a backtested KQL rule ready for Activator.

She partners closely with the Forensic Investigator (who brings her the rich, labelled incident bundles) and the Commander (who sets her direction and signs off her rule changes). She is suspicious of any rule that fires more than five times a week in production without being closed by Watch.

⚠ synthetic persona

Daily workflow

09:00Reviews last week's rule-efficacy report — true positives, false positives by rule, time-to-close distribution.
10:30Spark notebook: loads 12 weeks of MAC fingerprints per coastal sensor, computes per-sensor "normal" baseline (top-K most frequent OUI families, dwell-time distribution).
13:00Opens the ontology graph and traces: vessel → AIS gap → infrastructure proximity → MAC novelty. Tests whether adding a "recent port-of-call" edge improves S6 stage-A precision.
14:30Backtests a proposed new rule against four weeks of historical data in a notebook. Confirms 8% precision improvement, 2% recall drop. Acceptable trade.
16:00Drafts a Loop page for the Commander: "Proposed rule change: tighten Estlink-buffer AIS-dark from 25 min → 20 min, with the port-of-call filter to suppress 3 known false positives."
17:00Once approved, deploys the rule to Activator. Tags the deployment in the rule-efficacy table with a baseline date for next week's review.

Key data products

Data product	Source scenario(s)	Fabric tool	Refresh cadence
Baseline-vs-today MAC fingerprint Per coastal sensor: top-K OUI mix, dwell distribution, novelty rate vs 10-week rolling baseline	S6 + all sensor history	`Notebook` (Spark) on Lakehouse	weekly
Rule efficacy report TP/FP per Activator rule, decoy-discrimination rate, mean time-to-close	all rules	`Lakehouse` SQL + PBI	monthly
Ontology pattern mining Frequent-subgraph queries: which sub-patterns of S6 generalise to other incidents?	S6 + ontology	`Notebook` + ontology graph store	on-demand
New-detector simulation Notebook backtest of a proposed Activator rule against ≥ 4 weeks of historical KQL	all	`Notebook` backtest harness	ad hoc
Composite-weight proposal Diff vs current `weights.json` with expected score-distribution shift	S6 composite	`Notebook` + Loop page to Commander	quarterly

Linked scenarios

S6 — Multi-Stage Combo The reference labelled incident What this role sees: the gold-standard 5-stage bundle used to validate every new composite-weight proposal. S3 — Loitering Over Critical Infrastructure Industrial-IoT MAC cluster signature What this role sees: the canonical loitering signature — the basis for a new "MAC-burst + infra-polygon dwell" detector under test. S4 — Spoofed AIS Identity The "two MACs, one MMSI" pattern What this role sees: the textbook MMSI-impossibility detector — currently zero false positives across 12 weeks of backtest.

Fabric tools used

Fabric Notebooks (PySpark) Lakehouse (silver/gold) Eventhouse (KQL exploration) Ontology graph store Activator (rule deployment) Loop (proposal docs)

Example Data Agent prompts

Of the AIS-dark events longer than 20 minutes in the last 90 days, which ones overlap a critical-infrastructure buffer AND a novel-MAC event at the nearest coastal sensor?
How would the composite score for S6 have changed if I lowered the "MAC-novelty" weight from 0.25 to 0.18 over the last 4 weeks?
Show me MAC OUI prefixes that appear at MAC-PRV-COAST-01 this week but never appeared in the prior 10 weeks.

Dashboard mockup

Intel · Notebook · MAC-baseline-drift.ipynb · cell 14 / 22