Have you been seeing some suspicious URLs appear in your reports? You can now set a rule to track that activity with SolarWinds Log & Event Manager (LEM). LEM has many configured rules built into it for your ease of use. For this particular procedure, you can clone and enable the Known Spyware Site Traffic rule to track when users attempt to access suspicious websites by partial or complete URL addresses. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network.
Before enabling this rule, ensure your proxy server transmits complete URL addresses to your SolarWinds LEM Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If your proxy server does not log web traffic events with this level of detail, check the events coming from your firewalls, as they can sometimes be used for this rule as well.
To clone and enable the Known Spyware Site Traffic rule: