Is there a documentation about the nw alert id's?
e.g. : alert.id= 'nw12010', 'nw12015', 'nw12525'
nw12525 will register risk.informational "file storage sites"
They aren't really intended for human consumption.
Each alert.id will result in a risk meta value being registered (risk.informational, risk.suspicious, or risk.warning), and that is their sole purpose.
So you can (and should) ignore them entirely. Instead, look at the risk meta that was generated.
So for the "Attack Kill Chain Report", I've got it from the community, there is a Rule "Data Exfiltration:Cloud Storage Domains". This rule trigges when "alert.id='nw12525'"
Nevertheless I can't find any information about that criteria.
If you look under the log or packet decoder app rules you can look at the condition to find out what each rule is looking for.
Rules with name beginning with nw are from RSA Live.
Here it is:
Retrieving data ...