Hi,
There is two possible scenarios where you could potentially track this information.
1) monitor web traffic through proxy / firewall - If you are routing your web traffic from users through a proxy or firewall which logs traffic, get the syslog events to send to LEM and identify the interesting events. You can choose to filter these in the monitor, or apply a rule to take action when this event triggers the rule.
2) Check that this is logged on the workstation - This will be more costly as you will need to then purchase a licence for the workstations you want to monitor, as an agent would need to be deployed to each workstation in question. There is a possibility that Outlook logs to an event log this type of activity.
I would pursue option 1. It looks as though you have already done this too and have identified that the URL contains /ical/.
The simplest way to create a rule, is to build an nDepth query first to prove you can correlate on the event you are trying to configure the trigger for.
Start with a keyword seach for /ical/ and it will most likely take you to an event "WebTrafficAudit".
Refine this:
Create a User-Defined Group and add an entry for /ical/
Perform an nDepth query for the following criteria
WebTrafficAudit.URL CONTAINS /ical/
If this returns the expected results, build a new rule and set the correlation to the same as the above, specify a correlation time and appropriate action.
NOTE: Be very careful about using email alerts as you could end up flooding your inbox, or someone elses notifying of this event. Also take caution about what active responses you do perform too as these can be quite destructive if you get them wrong.
Always put into test mode before enabling the rule and monitor the rule in the monitor window under rule activity filter. It will show here if the rule has been fired.
Remember to activate the rules if you make a change or add one or the agent nodes will not get the update to the rules.
Hope that this helps.
Garreth