Is there a documentation about the nw alert id's?
e.g. : alert.id= 'nw12010', 'nw12015', 'nw12525'
Is there a documentation about the nw alert id's?
e.g. : alert.id= 'nw12010', 'nw12015', 'nw12525'
They aren't really intended for human consumption.
Each alert.id will result in a risk meta value being registered (risk.informational, risk.suspicious, or risk.warning), and that is their sole purpose.
So you can (and should) ignore them entirely. Instead, look at the risk meta that was generated.
So for the "Attack Kill Chain Report", I've got it from the community, there is a Rule "Data Exfiltration:Cloud Storage Domains". This rule trigges when "alert.id='nw12525'"
Nevertheless I can't find any information about that criteria.
nw12525 will register risk.informational "file storage sites"
If you look under the log or packet decoder app rules you can look at the condition to find out what each rule is looking for.
Rules with name beginning with nw are from RSA Live.
nw12525 will register risk.informational "file storage sites"