We're just getting going with auditd. We're Looking to trace back user activities and file changes.
Check the following TA for Linux auditd, https://splunkbase.splunk.com/app/4232/
There is a companion app, https://splunkbase.splunk.com/app/2642/, that will make use of the collected data for some pretty dashboards.
I guess I am looking more for auditd rules configs. Something to get started with. Some of these configs on linux can get pretty intense.
There're a few templates under /usr/share/doc/audit-xxx/rules/xxx.rules