If you want to capture the domain field values in the threat activity dashboard, you need toa create a saved search ( say for example "Threat - URL squid Matches - Threat Gen".
It would be good if you have a datamodel for squid or you can go with normal index command. Please find the query below.
The query will look for the squid domains, followed by comparing with the lookup to see if there's a hit.
| tstats prestats=true local=false values(sourcetype) as sourcetype,values(squid.src),values(squid.dest) from datamodel=squid by squid.domain | eval url='squid.domain' | eval threat_match_field="squid.domain" | eval url=if(isnull(url),'squid.domain',url) | eval threat_match_field=if(isnull(threat_match_field),"url",threat_match_field) | stats values(sourcetype) as sourcetype,values(squid.src) as src,values(squid.dest) as dest by url,threat_match_field | lookup update=true ip_intel domain as url OUTPUTNEW
Hope this works
... View more