The values in the Alert ID (alert.id) meta key do not have descriptive names, and therefore do not describe the alert that was triggered.
Values in the Alert ID (alert.id) meta key generally correspond to Application Rule names from the decoder on which the session was captured, namely rules that were deployed via RSA Live. There are two methods that can be used to identify the Application Rule that triggered the alert, which are described below.
Method 1: Using the Live Search to Identify the Application Rule As the Application Rules using the nwXXXXX are deployed using RSA Live, the Live search page can be used to quickly identify the official name of an Application Rule.
In the Security Analytics UI, navigate to Live -> Search.
Enter the Alert ID value in the Keywords box and click the Search button. Information about the corresponding Application Rule will be displayed in the Matching Resources section.
Method 2: Examining the Deployed Application Rules on the Decoder Another method for identifying Application Rules is to examine the Decoder configuration. While this method will not provide the official name of the rule, it will provide the syntax for the rule itself.
In the Security Analytics UI, navigate to Administration -> Services.
Select the Decoder service, click on the red Actions button in the far right column, and select View -> Config.
Click on the App Rules tab. The Alert ID value will be listed in the Name column, whereas the syntax of the rule will be listed in the Condition column.