I don't believe regex-based correlation parameters are permitted. Another way to accomplish this - aside from a watchlist, which does support regex, would be to adjust the parsing rule so that the TLD would be additionally parsed into its own field which could be indexed, manipulated and used for rules. Thanks.
Thanks for the response Andy.
For those interested in the technical details, I created two additional custom types (TLD1, TLD2) which I have indexed. I run a WebSense proxy and found the existing signature ID that parses the logs received (1018095), copied it and added the following regular expressions:
domain\x3d\x22[^\x22]+(\.[^\x22\d]+)\x22 - Maps to TLD1
domain\x3d\x22[^\x22]+(\.[\d\w][^\x22]+\.[^\x22\d]+)\x22 - Maps to TLD2
It's important to 'disable' the original 'Websense_Ent Websense SQL Event' rule (1018095).
I now have the ability to specifically chart 'suspicious' domains (.io, .pw, co.vu, .info, etc) as well as more effectively filter out known good sub-domains (.gstatic.com, .googleapis.com, .youtube.com, etc).
Hope this helps other people.