I finally have setup my lab environment and fully working now. I'm ready to use prebuilt rules, my question is how, how do I start? I was able to use one rule because it clearly stated in the documentation copy xxxxx into xxx part of the auditbeat.yml file.
However I'm looking at this now, bypass uac I want to log that.
but it's not to user friendly. What do I need to do for this and any other prebuilt rule that I would like to use?
I see a section that says rule query, do I need to paste that in a particular spot of a YML file?
any guidance would be appreciated.