This TA parses the Insider Threat dataset R6.1 made available by SEI. The data was created by ExactData LLC for the ADAMS project, an Insider Threat program at DARPA (https://www.cert.org/insider-threat/). There a 10 data sets for the project: https://www.cert.org/insider-threat/tools/index.cfm
The TA has props and transforms that provide Splunk's Common Information Model (CIM) mapping for R6.1 data set for the following log types:
You can download R6.1 from here: ftp://ftp.sei.cmu.edu/pub/cert-data/r6.1.tar.bz2
The Insider Threat datasets were made for the ADAMS, an Insider Threat program at DARPA (https://www.cert.org/insider-threat/). This TA works on R6.1.tar.bz data set. R6.1 set is availble here: ftp://ftp.sei.cmu.edu/pub/cert-data/r6.1.tar.bz2
The TA includes a "samples" directory that contains 9 entries from each log type. The R6.1 dataset provide both synthetic background data and data from synthetic malicious actors:
The "Answers" provide the relevant logs pertaining to insider threat.
Ver 0.2. Provides basic parsing functionality for Insider Threat Logs provided by SEI. Also includes sample directory with samples of the log files
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.