Wow. Drools has changed quite a bit since I last used it. Beside the name change (bought by JBoss) and new features, it now sports a nice Eclipse-based workbench for editing rules. Rule syntax has changed from awkward XML-based one to an easier to read template-based expression language. Very nice.
I've used Drools to drive PassMark Security's realtime forensic engine (now part of RSA Adaptive Authentication product). Drools was used not only for policy-based risk analysis but also as a blackboard of sort to which analysis modules (i.e. bayesian) and distributed forensic evidence sources (i.e. account management systems, wire transfer services) can be plugged into.
Essentially, bundles of low-level facts (i.e. IP address) are thrown into it everytime the customer does something. As low-level facts are added, high-level rules fire to add higher-level facts (derivatives) and modules fire to pull related facts in from outside like accounting department that may impact risk level evaluation or from data center monitors to provide 'environmental' facts. At any given point, bayesian engines may kick in to contribute what they think is going on over time or scope of activities.
Fun stuff although there are deployment issues which is why there was not much pushing going on in the architecture. You can easily (cost and tech wise) to pull information out of most enterprise systems but pushing new information into them gets expensive very quickly. My big picture was to turn what I had into a central hub for integration and extension of enterprise systems. Oh, well. I think that picture was too big/out-of-scope for RSA. With EMC (which bought RSA), it might be another story.
Anyhow, I am going to play with the latest verson because these kind of technologies can be very useful if used appropriately.