Prebuilt Rule Reference

jasieltego · May 25, 2021, 9:18pm

Hi,

I finally have setup my lab environment and fully working now. I'm ready to use prebuilt rules, my question is how, how do I start? I was able to use one rule because it clearly stated in the documentation copy xxxxx into xxx part of the auditbeat.yml file.

However I'm looking at this now, bypass uac I want to log that.

but it's not to user friendly. What do I need to do for this and any other prebuilt rule that I would like to use?
I see a section that says rule query, do I need to paste that in a particular spot of a YML file?

any guidance would be appreciated.
Thanks

jasieltego · May 25, 2021, 11:55pm

I can't seem to find a guide that shows us how to work with these. If you find something please direct me towards it and I'll check it out.

Topic		Replies	Views
Auditbeat setting unspecified rule Beats auditbeat	10	1241	December 19, 2018
Auditbeat issue - custom audit rule not working Beats auditbeat	2	552	April 5, 2019
Auditbeat installation replaces custom config with example Beats auditbeat	3	818	October 5, 2018
Elastic prebuilt rules error Elastic Security	3	1273	July 17, 2023
I use auditbeat 8.6.2, can't find no login shell command Beats auditbeat	1	404	March 28, 2023

Prebuilt Rule Reference

Related topics