Below is a simple ESA logic you can use. You can add up the filter based
on the required categories defined by bluecoat (Symantec Category
Descriptions ). SELECT * FROM Event( /* Statement: S1 */ (device_type
.toLowerCase() IN ( 'cacheflowelff' ) AND...
What Web Gateway do you have on your environment? Are you collecting
those logs to SA?Also you need to know about the web filtering policy
implemented, based on that you can write a ESA rule to alert on that
category.
