Role 2 / 5 · time horizon: seconds–hours

Watch Operator

"Catch it as it happens. Triage the alert. Hand off the incident."

Persona

Vahtipäällikkö Eero Nyström

Joint Maritime Watch · Upinniemi · 9 years on the watch floor

Eero works rotating 12-hour shifts in front of three 32" panels: the Real-Time Dashboard with ship and aircraft tracks, an Eventhouse query console, and an Activator alert feed. When a yellow chip pops on the alert feed, his job is to classify it in under 90 seconds — true incident, decoy, sensor glitch — and either close it or open a ticket and call the right person.

He does not investigate. He triages. The richest tool in his belt is a shortlist of pre-baked KQL snippets he can launch with two clicks to confirm or rule out the standard scenario patterns (AIS dark, spoof split, MAC burst, rendezvous proximity).

⚠ synthetic persona

Daily workflow

06:00Shift handover — reviews the outgoing operator's open tickets and any rules currently muted for known maintenance.
06:15Confirms the Real-Time Dashboard is live, AIS lag < 30 s, MAC sensor health all green, Activator subscriptions active.
09:42Activator alert fires: "AIS-dark window 28 min over Estlink-2 buffer, MMSI 230999401, novel MAC at MAC-PRV-COAST-01". Runs the pre-baked S1-confirm KQL — pattern matches. Opens ticket, escalates to Forensic Investigator.
11:20Two-vessel proximity alert (S2 family). Runs proximity-confirm query — under 200 m for 18 min. Tags as candidate rendezvous, hands off.
14:00Mid-shift micro-brief to the duty deputy. Five-line text: open count, recent escalations, sensor health, weather, anything strange.
17:50Closes a false-positive (decoy MMSI 999000420). Tags the rule as "decoy-false-positive" so the Intelligence Analyst can find it in next week's rule-efficacy review.
18:00Shift handover to night operator — same template as the morning.

Key data products

Data product	Source scenario(s)	Fabric tool	Refresh cadence
Live incident feed Fused AIS + radar + MAC tracks, colour-coded by composite score	S2 / S4 / S5 realtime	`Real-Time Dashboard`	~5 s
Active alerts queue Open Activator alerts with severity, age, owner	S1 / S3 / S6 rules	`Activator`	real-time
Pre-baked triage KQL snippets One snippet per scenario pattern: S1-confirm, S2-proximity, S4-spoof-split, S5-airborne-MAC	all	`Eventhouse` KQL	on-demand
Hand-off ticket Structured payload: timestamps, MMSIs, sensor IDs, classification, KQL evidence link	any	Fabric workflow → Forensic Investigator inbox	on-demand
Sensor health tile Per-sensor heartbeat & lag, red if > 60 s	infra/sensor catalog	`Real-Time Dashboard`	~10 s

Linked scenarios

S1 — AIS Dark Near Cable The textbook triage case What this role sees: amber Activator chip + a Real-Time Dashboard ship that just stopped emitting AIS while a plane radar track keeps moving. S4 — Spoofed AIS Identity Two MAC fingerprints, one MMSI What this role sees: a single MMSI rendered at two different positions — the dashboard flags the impossibility before the operator does. S2 — Ship-to-Ship Rendezvous Sub-100m proximity south of Hanko What this role sees: a proximity-pair tile lights up; one click runs the S2-proximity snippet that confirms drift-together duration.

Fabric tools used

Real-Time Dashboard Eventhouse (KQL) Activator Eventstream (read-only) Fabric workflow (hand-off)

Example Data Agent prompts

Show me every vessel within 500 m of an HVDC cable polygon in the last 10 minutes.
Has MMSI 230999401 ever gone AIS-dark over Estlink before today?
Which Activator rule fires most often during the 06:00–09:00 window — and is it a real-incident rule or a known-decoy rule?

Dashboard mockup

Watch · Real-Time Dashboard · live · 09:42:18 UTC