I have set on a host both packetbeat and auditbeat. I wanted to set a rule about login events but it confuses me a bit the separation between
event.module: system and
At the SIEM overview there is not a very good explanation and categorization of which beat does a event.module belong and what about event.datasets.
Also my question came up when i say that there were two login events! First is
event.action: user_login and the second is
event.action: logged-in .
As someone that tries to catch and set a rule about login events that seems a bit confusing at least as of now that i haven't understand the relationship and the differences!
Thanks in advance