Prebuilt Rule Reference

jasieltego · May 25, 2021, 9:18pm

Hi,

I finally have setup my lab environment and fully working now. I'm ready to use prebuilt rules, my question is how, how do I start? I was able to use one rule because it clearly stated in the documentation copy xxxxx into xxx part of the auditbeat.yml file.

However I'm looking at this now, bypass uac I want to log that.

but it's not to user friendly. What do I need to do for this and any other prebuilt rule that I would like to use?
I see a section that says rule query, do I need to paste that in a particular spot of a YML file?

any guidance would be appreciated.
Thanks

jasieltego · May 25, 2021, 11:55pm

I can't seem to find a guide that shows us how to work with these. If you find something please direct me towards it and I'll check it out.

system · June 23, 2021, 1:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic prebuilt rules error Elastic Security	3	1053	July 17, 2023
Is it possible to change the prebuilt rules in Signal detection rules Elasticsearch	1	332	May 18, 2020
Watch configuration (advance watch - Jason queries for cyber security) SIEM	5	518	August 31, 2021
Pre-built set of rules still using SYSMON based detection (winlogbeat- *, event.code: 1, etc.) or using linguistic terms specific to an operating system (eg: Win 10 EN system user is SYSTEM, but Win 10 PT-BR system user is SISTEMA) Endpoint Security	2	656	December 1, 2020
Prebuilt security rule not working with fleet architecture Elastic Agent detection-rules	1	269	July 21, 2023

Prebuilt Rule Reference

Related topics