This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Reference for nw Alert Id's

Go to solution
Anonymous
Not applicable

‎2014-12-18 01:35 PM

Is there a documentation about the nw alert id's?

e.g. : alert.id= 'nw12010', 'nw12015', 'nw12525'

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-12-18 02:00 PM

nw12525 will register risk.informational "file storage sites"

View solution in original post

0 Likes
5 REPLIES 5

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-12-18 01:42 PM

They aren't really intended for human consumption.

 

Each alert.id will result in a risk meta value being registered (risk.informational, risk.suspicious, or risk.warning), and that is their sole purpose.

 

So you can (and should) ignore them entirely. Instead, look at the risk meta that was generated.

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2014-12-18 01:49 PM

So for the "Attack Kill Chain Report", I've got it from the community, there is a Rule "Data Exfiltration:Cloud Storage Domains". This rule trigges when "alert.id='nw12525'"

Nevertheless I can't find any information about that criteria.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-12-18 02:00 PM

nw12525 will register risk.informational "file storage sites"

0 Likes

Go to solution
DavidWaugh1
Employee
Employee

‎2016-01-05 10:43 AM

If you look under the log or packet decoder app rules you can look at the condition to find out what each rule is looking for.

 

Rules with name beginning with nw are from RSA Live.

apprules.png

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.