i am trying to find the rule logic for the rules that are populated under the Alert.id Meta Key on the the Investigation Pane. I found some of them under the Application Rule tab on the decoder but not all of the ones I am looking for. Is there a way I can get to that information through the UI or do i need to ssh into one of the appliances? or is there a reference online where I can search for the rule logic?
alert.id is an internal metakey used by application rules, feeds and parsers. a single metavalue in alert.id is then processed by3 feeds (alertids_info.feed, alertids_suspicious.feed, & alertids_warning) These feeds, populate multiple metakey values from any match, to keys like risk.info, risk.suspicious, risk.warning, threat.source, threat.category, etc.
So to answer your question, there are not just a set of rules that write to this key, parsers, and other feeds also write to this key. (note you can look at the "Parsers Configuration" section of a Packet Decoder and expand the parsers to see which ones write to the alert.id key.