diff --git a/rules/example-1-simple.conf b/rules/example-1-simple.conf
new file mode 100644
index 00000000..c6e9532b
--- /dev/null
+++ b/rules/example-1-simple.conf
@@ -0,0 +1,14 @@
+# A very simple config for introductory purpose. Not for the real-world!
+
+
+# Network traffic to/from standard system utilities
+# These utils never communicate on the network - if they do, that is a strong indication
+# that something is wrong (rootkit?)
+# Note that the full rule lists all ~150 binaries from coreutils; this example only has a few.
+(fd.typechar = 4 or fd.typechar = 6) and proc.name in (ls, mkdir, cat, less, ps)
+
+# System binary is modified or new file is written to standard binary dirs
+evt.type = write and fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
+
+# Shell running in container
+container.id != host and proc.name = bash
diff --git a/rules/example-2-macros.conf b/rules/example-2-macros.conf
new file mode 100644
index 00000000..017e49d8
--- /dev/null
+++ b/rules/example-2-macros.conf
@@ -0,0 +1,17 @@
+# A very simple config for introductory purpose. Not for the real-world!
+
+
+# Binary directories
+bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
+
+# Core binaries
+core_binaries: proc.name in (ls, mkdir, cat, less, ps)
+
+# Network traffic to/from standard utility
+(fd.typechar = 4 or fd.typechar=6) and core_binaries
+
+# System binary is modified
+evt.type = write and bin_dir
+
+# Shell running in container
+container.id != host and proc.name = bash
diff --git a/rules/example-3-outputs.conf b/rules/example-3-outputs.conf
new file mode 100644
index 00000000..88ef3068
--- /dev/null
+++ b/rules/example-3-outputs.conf
@@ -0,0 +1,16 @@
+# A very simple config for introductory purpose. Not for the real-world!
+
+# Binary directories
+bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
+
+# Core binaries
+core_binaries: proc.name in (ls, mkdir, cat, less, ps)
+
+# Network traffic to/from standard utility
+(fd.typechar = 4 or fd.typechar=6) and core_binaries | %evt.time: %proc.name network with %fd.l4proto
+
+# System binary is modified
+evt.type = write and bin_dir | %evt.time: System binary modified (file '%fd.filename' written by process %proc.name)
+
+# Shell running in container
+container.id != host and proc.name = bash | %evt.time: Shell running in container (%proc.name, %container.id)