Hi, I have the squid logs being indexed by the log concentrator, and assigned to the 'url' meta correctly, via a custom parser. I now need to create an alert based on threat feed and notify on the event of a detection of a url requested, which is present in the threat list/feed. Can someone please guide me how to enable this?
As is usual for all things, it depends. Having more information will be helpful.
At first glance I'd setup a feed with my blacklist/threat feed against the url metakey and then have it alert to a custom metakey you use (i.e. squid.alert) and then have your reporting engine or ESA system just look at any events where squid.alert exists.
Obviously this could be much more complicated, you could add more comparisons at the log decoder level, at the ESA level, etc.
Please provide more context, as much as possible would be great.
Thanks,