That is an interesting detection, on the day to day use XML events have more issues with extracting CIM fields like src, user,dest app which can hamper more common detections.
... View more
Another solution I've been working on is a bit more efficient than cef like formating and allows for use of an actual syslog server updated TA is published here https://bitbucket.org/SPLServices/splunk_ta_bluecoat_proxysg/
... View more