Prebuilt Rule Reference

Elastic Stack Beats
1

Hi,

I finally have setup my lab environment and fully working now. I'm ready to use prebuilt rules, my question is how, how do I start? I was able to use one rule because it clearly stated in the documentation copy xxxxx into xxx part of the auditbeat.yml file.

However I'm looking at this now, bypass uac I want to log that.

but it's not to user friendly. What do I need to do for this and any other prebuilt rule that I would like to use?
I see a section that says rule query, do I need to paste that in a particular spot of a YML file?

any guidance would be appreciated.
Thanks

2

I can't seem to find a guide that shows us how to work with these. If you find something please direct me towards it and I'll check it out.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.