Threat detection rules VS beats

Can someone tell me if default detection rules are capable of triggering alerts base on logs from events (not from fleet). I.e. new user creation. I can not make it work. Also, how do I define my own custom policies that will trigger alerts base on logs from beats (packet beat, winlog beat etc.).

It is of course possible.
You should better describe your attempts that you have already made and what does not work.
On which data do you want to make alerts?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.