Hello,
I just created a alert condition to match multiple URLs. It looks like this:
URL Check (Field Content Alert Condition)
Alerting on stream Proxy-Connections
Configuration: Alert is triggered when messages matching <URI_Host: ""bit.ly" OR "136.243.203.174" OR "mail.mei.gov.qa" OR "yip.su" OR "dnsupdateservers.net" OR "microsoftupdate.mom""> are received. Grace period: 0 minutes. Including last message in alert notification. Configured to repeat notifications.
The notification looks like this:
MALICIOUS URL
${if backlog}
${foreach backlog message}
Zeitstempel (UTC): ${message.fields.timestamp}
URI_Host: ${message.fields.URI_Host}
Client: ${message.fields.Client_Address}
${end}${else}<No backlog> ${end}`
Everything works fine, but I get some false positives, like:
ftp2.de.debian.org
update.libreoffice.org
1c3mlb450ose39j89b4cor60.wpengine.netdna-cdn.com
kind regards
Philipp