Use Cases for Proxy Devices such as Ironport , Bluecoat etc
To be honest, you really need to be looking into Activate to get easy and simple value from ESM. There is a perception that you can just get some content and fix something. But the problem is what is important for one customer is not for another and customers have different configurations and setup's for their systems. A great example is VPN setups - there are so many options, configurations and environments. While it would be great to have a generic package, it would also be pretty limited and usually very little use.
Activate is a way to address this and make it a bit simpler and easier to address. Think of it as a way to have content to address specific log sources and then build up to a wider set of indicators that then feed to a set of alerts and details. You really don't necessarily want to trigger an alert on one set of logs. You really want to have multiple systems combine together to give real and valuable indicators to what is happening.
You need to check things out here:
You can also see some more information about this framework and what you can do with it here:
You need to get the base Activate content to address this:
But from there, you can use the specific indicator packages here, such as the Blue Coat one:
You can find all of the package here: