Threat detection rules VS beats

Can someone tell me if default detection rules are capable of triggering alerts base on logs from events (not from fleet). I.e. new user creation. I can not make it work. Also, how do I define my own custom policies that will trigger alerts base on logs from beats (packet beat, winlog beat etc.).