Building coorrelations from the defaults
This is actually an excellent way to learn to build correlated alerts, and is the method I used when first learning about them.
Coyping an included default correlated rule and then creating a view for that copy lets you confirm that you are able to receive alerts for the base condition. You can then break down your modification process into small, testable steps, making incremental changes and testing until you've perfected your correlated alert.
I have done something similar in my enviroment. I have made a copy of all the rules and now I tweak them as per my convenience and it has helped me in optimizing the alerts, by changing the threshold values.
I've done the same for the Windows Authentication correlation events.
Quite a few of the defaults were too chatty in my environment.
The ability to copy the correlation rules is quite useful.