Prebuilt Rule Reference


I finally have setup my lab environment and fully working now. I'm ready to use prebuilt rules, my question is how, how do I start? I was able to use one rule because it clearly stated in the documentation copy xxxxx into xxx part of the auditbeat.yml file.

However I'm looking at this now, bypass uac I want to log that.

but it's not to user friendly. What do I need to do for this and any other prebuilt rule that I would like to use?
I see a section that says rule query, do I need to paste that in a particular spot of a YML file?

any guidance would be appreciated.

I can't seem to find a guide that shows us how to work with these. If you find something please direct me towards it and I'll check it out.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.