for example a user receive an email and theres a link wherein it request him to click it. How would the SIEM rules would definitely know that the link sent to Him is a valid link? spam or etc. thanks.
I'm just a newbie in SIEM nitro, and have been using it for almost 2 months.
Ok, the SIEM is a powerful tool but it doesn't have the intelligence built in to detect such things. It takes a good Analyst to be creative and create correlation rules that work for your specific situation. You also need to make sure that you purchased the options to parse Email server logs. I don't know what you would need to do that, though.
However, if you get updated lists of known malware domains and/urls, you could just create a rule that checks Internal to External flow data over port 80 and 443. Create a watch list for the known malware sites and have it alert you when any of that traffic is bound for any sites in that watch list.
I know you wanted some specifics, but you should be able to find another post from someone on how to accomplish this. It's not the greatest example, but it might give you enough of a start to get you going.