Is there a way to detect if a host clicked on a link from and email that hey received? Assume sourcetypes for web and mail traffic... I know I can use transaction but the trasaction would start as the host being the dest from the email and the get request for the clicked link would make he host be d source, since the host would be on two separate fields how could we make this connection?
There are probably many ways to solve this but lets say you used the transaction command so you could set some time span limits.
You could just rename the fields for the transaction search so that they have the same name.
ie.
sourcetype=mail OR sourcetype=proxy | rename mail_ip as ip | rename dest_ip as ip | transaction ip
Now in the real world this would be more complicated because you would need to extract out the link from the email and depending on the link and your proxy it may use ip or dns name so you would need to normalize that to be the same.