This is a non-IMPACT record, meaning that access to the data is not controlled by IMPACT. For access, see the directions below.

Disclaimer:
This Resource is offered and provided outside of the IMPACT mediation framework. IMPACT and the IMPACT Coordination Council/Blackfire Technology, Inc. expressly disclaim all conditions, representations and warranties including but not limited to Resource availability, quality, accuracy, non-infringement, and non-interference. All Resource information and access is controlled by entities and under terms that are external to the IMPACT legal framework.

Summary

DS-0923
User-Computer Authentication Associations in Time
External Dataset
External Data Source
Los Alamos National Laboratory
01/01/2014
01/02/2014
56 (lowest rank is 56)

Category & Restrictions

Other
local networks
Unrestricted
Unknown

Description


User-Computer Authentication Events Data

This anonymized data set encompasses 9 continuous months and represents 708,304,516 successful authentication events from users to computers collected from the Los Alamos National Laboratory (LANL) enterprise network.    The data sources include Windows-based authentication events from both individual computers and centralized Active Directory domain controller servers; process start and stop events from individual Windows computers; Domain Name Service (DNS) lookups as collected on internal DNS servers; network flow data as collected on at several key router locations; and a set of well-defined red teaming events that present bad behavior within the 58 days. In total, the data set is approximately 12 gigabytes compressed across the five data elements and presents 1,648,275,307 events in total for 12,425 users, 17,684 computers, and 62,974 processes.

Specific users that are well known system related (SYSTEM, Local Service) were not de-identified though any well-known administrators account were still de-identified. In the network flow data, well-known ports (e.g. 80, 443, etc) were not de-identified. All other users, computers, process, ports, times, and other details were de-identified as a unified set across all the data elements (e.g. U1 is the same U1 in all of the data). The specific timeframe used is not disclosed for security purposes. In addition, no data that allows association outside of LANL's network is included. All data starts with a time epoch of 1 using a time resolution of 1 second. In the authentication data, failed authentication events are only included for users that had a successful authentication event somewhere within the data set. ; cyberdata@lanl.gov

Additional Details

N/A
false
Unknown
authentication, computer, user, time, 923, user-computer authentication associations in time, associations, inferlink, source, external, inferlink corporation, corporation, 2014, external data source, events, users, computers, de, identified, network, collected, servers, service, u1, process, total, lanl, elements, individual, included, ports, flow, system, windows, domain, specific, successful, dns, 443, continuous, starts, administrators, 684, details, months, failed, laboratory, purposes, account, locations, start, processes, directory, lookups, disclosed, 974, security, times, represents, sources, lanls, router, bad, internal, other, enterprise, association, epoch, local, los, 648, active, anonymized, resolution, 516, alamos, defined, addition, based, encompasses, timeframe, teaming, days, 307, compressed, 708, centralized, gov, red, 275, unified, 425, cyberdata, national, behavior, event, key, include, controller, 304, gigabytes