DEDALE

Overview
Environment
Activity
Contained Data
Papers
Links
Data Examples


Network Data Source	NetFlows, pcaps
Network Data Labeled	Yes
Host Data Source	Windows events, Linux events
Host Data Labeled	Yes

Overall Setting	Enterprise IT
OS Types	Windows, Linux
Number of Machines	55
Total Runtime	28 days
Year of Collection	2025
Attack Categories	Various ATT&CK tactics
User Emulation	Synthetic

Packed Size	-
Unpacked Size	65 GB
Download Link	goto

Overview

DEDALE (Dataset for Evaluating Detection of APT among Logs and Events) is a network and host intrusion detection dataset generated using the RESCOUSSE testbed. The dataset spans 28 days and contains a fully-fledged APT campaign, preceded and followed by several days of only benign behavior. The authors try to improve upon existing similar works (specifically referencing SOCBED) by increasing both size and complexity of the virtualized network, running the attack campaign over several days as well as offering more sophisticated user emulation.

Environment

The environment consists of a multi-zone corporate network architecture with 55 virtual machines distributed across four network zones, connected via three routers:

External (attacker and external clients)
DMZ (web servers, VPN server)
Internal Servers (domain controller with SMB shares, internal server)
Internal Clients (30 Windows company workstations)

The system runs various services including web servers, email (SMTP), SSH, SMB file sharing, VPN, DNS, and different office applications. A visual representation of the entire structure can be found on their homepage.

Activity

Benign activity is generated by AURA (Automated UseR Activity), a custom tool created by the same authors that simulates corporate user behavior across different user profiles like developer or manager. Activities include email communication with attachments, web browsing to various sites, file operations (creation, modification, copying), SSH commands, printing, and VPN connections. Scheduled timelines for these benign activities are provided separately.

The APT attack scenario runs over 8 days beginning in week 3, consisting of:

Initial Access via spear phishing email with malicious macro attachment
Execution of PowerShell script downloading HTTPS meterpreter reverse shell
Persistence through registry key modifications
C2 using custom Python malware with daily beaconing
Discovery of domain credentials
Lateral Movement to domain administrator machine via PrintNightmare (CVE-2021-1675)
Collection of domain credentials and sensitive files from internal server
Exfiltration to C2 server

An illustration of the attack campaign can be found here.

Contained Data

Network data is captured at four distinct monitoring points, each available as weekly PCAP archives:

green_internal
orange_servers
orange_dmz
router1 with three interfaces (router1_green, router1_orange, router1_red).

Suricata alerts are included, but not explicitly labeled, although the authors mention that only 2 out of 130,430 Suricata alerts are true positive (related to a malicious flow). Network flows, generated from the PCAPs above, are labeled with one of three classes, additionally providing the associated MITRE ATT&CK tactic and technique numbers if relevant:

0 (benign)
1 (attack)
2 (attack-related but not inherently malicious)

System logs are collected via Winlogbeat, Syslog and Auditbeat, organized by day. Packetbeat logs are also listed as part of the system logs, although they are based on network traffic - possibly because the authors wanted to group all Elastic Beats together, because they considered any host-based collection as “system” data, or due to a simple oversight. System logs related to the attack scenario are provided in separate files containing only logs related to malicious activity; these are a subset of the unlabeled logs and grouped into two classes:

Class 1: logs clearly linked to a malicious action
Class 2: logs that are consequences or dependent on how the attack step works

Only logs from Winlogbeat (system_labels/clients_1_and_2/) and Auditbeat (system_labels/internal_server/) are labeled in this way, there appear to be no labels for Syslog entries. The technical process of both host and network labeling is documented here.

Papers

Get out of DEDALE with RESCOUSSE: a New Dataset and Testbed for Evaluating the Detection of APT attacks among Network and System Logs (2025)

Data Examples

Snippet of labeled flows from green_internal/D1_2024-12-23_output_green_internal.pcap_Flow_labeled

date,uid,ip_src,port_src,ip_dst,port_dst,proto,ts,duration,Total Fwd Packet,Total Bwd packets,Total Length of Fwd Packet,Total Length of Bwd Packet,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,Bwd Packet Length Max,Bwd Packet Length Min,Bwd Packet Length Mean,Bwd Packet Length Std,Flow Bytes/s,Flow Packets/s,Flow IAT Mean,Flow IAT Std,Flow IAT Max,Flow IAT Min,Fwd IAT Total,Fwd IAT Mean,Fwd IAT Std,Fwd IAT Max,Fwd IAT Min,Bwd IAT Total,Bwd IAT Mean,Bwd IAT Std,Bwd IAT Max,Bwd IAT Min,Fwd PSH Flags,Bwd PSH Flags,Fwd URG Flags,Bwd URG Flags,Fwd RST Flags,Bwd RST Flags,Fwd Header Length,Bwd Header Length,Fwd Packets/s,Bwd Packets/s,Packet Length Min,Packet Length Max,Packet Length Mean,Packet Length Std,Packet Length Variance,FIN Flag Count,SYN Flag Count,RST Flag Count,PSH Flag Count,ACK Flag Count,URG Flag Count,CWR Flag Count,ECE Flag Count,Down/Up Ratio,Average Packet Size,Fwd Segment Size Avg,Bwd Segment Size Avg,Fwd Bytes/Bulk Avg,Fwd Packet/Bulk Avg,Fwd Bulk Rate Avg,Bwd Bytes/Bulk Avg,Bwd Packet/Bulk Avg,Bwd Bulk Rate Avg,Subflow Fwd Packets,Subflow Fwd Bytes,Subflow Bwd Packets,Subflow Bwd Bytes,FWD Init Win Bytes,Bwd Init Win Bytes,Fwd Act Data Pkts,Bwd Act Data Pkts,Fwd Seg Size Min,Bwd Seg Size Min,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,ICMP Code,ICMP Type,Fwd TCP Retrans. Count,Bwd TCP Retrans. Count,Total TCP Retrans. Count,Total Connection Flow Time,label,step,attack_step,tactic,technique,comments
2024-12-23 08:00:29.426148891,0.0.0.0-255.255.255.255-68-67-17,0.0.0.0,68,255.255.255.255,67,17,1734940829.426149,111992253.0,10,0,3133.0,0.0,327.0,300.0,313.3,14.032106042928836,0.0,0.0,0.0,0.0,27.975149316801403,0.0892918905738953,12443583.666666668,17289487.263402104,49980141.0,1540.0,111992253.0,12443583.666666668,17289487.263402104,49980141.0,1540.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,0,0,80,0,0.0892918905738953,0.0,300.0,327.0,313.3,14.032106042928836,196.9,0,0,0,0,0,0,0,0,0.0,313.3,313.3,0.0,0.0,0.0,0.0,0.0,0.0,0.0,2.5,783.25,0.0,0.0,0,0,10,0,8,0,6306.25,5565.518866197473,13256.0,1540.0,27990494.25,14732329.278663062,49980141.0,19040385.0,-1,-1,0,0,0,111992253,0,0,benign,,,
2024-12-23 08:00:29.426568031,172.16.1.1-172.16.1.27-67-68-17,172.16.1.1,67,172.16.1.27,68,17,1734940829.426568,13098.0,2,0,600.0,0.0,300.0,300.0,300.0,0.0,0.0,0.0,0.0,0.0,45808.52038479157,152.69506794930524,13098.0,0.0,13098.0,13098.0,13098.0,13098.0,0.0,13098.0,13098.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,0,0,16,0,152.69506794930524,0.0,300.0,300.0,300.0,0.0,0.0,0,0,0,0,0,0,0,0,0.0,300.0,300.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,2,0,8,0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,-1,-1,0,0,0,13098,0,0,benign,,,
2024-12-23 08:00:29.443155050,172.16.1.27-224.0.0.22-0-0-2,172.16.1.27,0,224.0.0.22,0,2,1734940829.443155,8304505.0,11,0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.3245822598697934,830450.5,2399809.108898282,7651669.0,198.0,8304505.0,830450.5,2399809.108898282,7651669.0,198.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,0,0,0,0,1.3245822598697934,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,0,0,0,0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,11.0,0.0,0.0,0.0,0,0,0,0,0,0,296342.0,0.0,296342.0,296342.0,7651669.0,0.0,7651669.0,7651669.0,-1,-1,0,0,0,0,0,0,benign,,,
2024-12-23 08:00:29.513459921,172.16.1.27-224.0.0.251-5353-5353-17,172.16.1.27,5353,224.0.0.251,5353,17,1734940829.51346,2194848.0,5,0,164.0,0.0,42.0,30.0,32.8,5.215361924162119,0.0,0.0,0.0,0.0,74.72043622155157,2.2780620799253524,548712.0,636212.6019264315,1170969.0,178.0,2194848.0,548712.0,636212.6019264315,1170969.0,178.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,0,0,40,0,2.2780620799253524,0.0,30.0,42.0,32.8,5.215361924162119,27.2,0,0,0,0,0,0,0,0,0.0,32.8,32.8,0.0,0.0,0.0,0.0,0.0,0.0,0.0,2.5,82.0,0.0,0.0,0,0,5,0,8,0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,-1,-1,0,0,0,2194848,0,0,benign,,,

Snippet of Suricata alerts from suricata_alerts

{"@timestamp":1735320543276,"@version":1,"facility":21,"facility_label":"local5","host":"172.16.0.1","logsource":"companyrouter2","message":"[1:2017515:5] ET INFO User-Agent (python-requests) Inbound to Webserver [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.1.19:55417 -> 172.16.0.3:50010\n","pid":2221,"priority":171,"program":"suricata","severity":3,"severity_label":"Error","timestamp":1735320543276,"timestamp8601":1735320543276,"type":"syslog_raw"}
{"@timestamp":1735320545197,"@version":1,"facility":21,"facility_label":"local5","host":"172.16.0.1","logsource":"companyrouter2","message":"[1:2017515:5] ET INFO User-Agent (python-requests) Inbound to Webserver [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.1.5:60218 -> 172.16.0.3:50010\n","pid":2221,"priority":171,"program":"suricata","severity":3,"severity_label":"Error","timestamp":1735320545197,"timestamp8601":1735320545197,"type":"syslog_raw"}
{"@timestamp":1735320545759,"@version":1,"facility":21,"facility_label":"local5","host":"172.16.0.1","logsource":"companyrouter2","message":"[1:2017515:5] ET INFO User-Agent (python-requests) Inbound to Webserver [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.1.26:54612 -> 172.16.0.3:50010\n","pid":2221,"priority":171,"program":"suricata","severity":3,"severity_label":"Error","timestamp":1735320545759,"timestamp8601":1735320545759,"type":"syslog_raw"}
{"@timestamp":1735320546974,"@version":1,"facility":21,"facility_label":"local5","host":"172.16.0.1","logsource":"companyrouter2","message":"[1:2011341:15] ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 172.16.1.22:51177 -> 172.16.0.3:9200\n","pid":2221,"priority":171,"program":"suricata","severity":3,"severity_label":"Error","timestamp":1735320546974,"timestamp8601":1735320546974,"type":"syslog_raw"}

Snippet of Syslogs from daily_syslog/D1_H12_2024-12-23T12_syslog_F13.jsonl

{"@timestamp": "2024-12-23T12:24:26.000Z", "@version": "1", "facility": 3, "facility_label": "system", "host": "172.17.0.5", "logsource": "extcompanyclient", "message": "Supervising 3 threads of 3 processes of 1 users.\n", "pid": "1417", "priority": 31, "program": "rtkit-daemon", "severity": 7, "severity_label": "Debug", "timestamp": "Dec 23 12:24:26", "type": "syslog_raw"}
{"@timestamp": "2024-12-23T12:24:26.000Z", "@version": "1", "facility": 3, "facility_label": "system", "host": "172.17.0.5", "logsource": "extcompanyclient", "message": "Supervising 3 threads of 3 processes of 1 users.\n", "pid": "1417", "priority": 31, "program": "rtkit-daemon", "severity": 7, "severity_label": "Debug", "timestamp": "Dec 23 12:24:26", "type": "syslog_raw"}
{"@timestamp": "2024-12-23T12:24:26.316Z", "@version": "1", "facility": 21, "facility_label": "local5", "host": "172.16.0.1", "logsource": "companyrouter2", "message": "[1:2017515:5] ET INFO User-Agent (python-requests) Inbound to Webserver [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.1.6:49624 -> 172.16.0.3:50010\n", "pid": "2221", "priority": 171, "program": "suricata", "severity": 3, "severity_label": "Error", "timestamp": "2024-12-23T12:24:26.316711+00:00", "timestamp8601": "2024-12-23T12:24:26.316711+00:00", "type": "syslog_raw"}
{"@timestamp": "2024-12-23T12:24:27.055Z", "@version": "1", "facility": 3, "facility_label": "system", "host": "172.17.0.5", "logsource": "vpnserver", "message": "client1/172.19.0.135:39656 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #9865 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings\n", "pid": "626", "priority": 27, "program": "ovpn-server", "severity": 3, "severity_label": "Error", "timestamp": "2024-12-23T12:24:27.055350+00:00", "timestamp8601": "2024-12-23T12:24:27.055350+00:00", "type": "syslog_raw"}

Snippet of labeled Winlogebeat logs from system_labels/clients_1_and_2/malicious_events_class_1.jsonl

{"@timestamp":"2025-01-08T15:07:55.919Z","agent":{"ephemeral_id":"3a034773-a006-42a9-ba5e-005455f1a4d4","hostname":"CLIENT2","id":"c35095e9-5f9f-4084-a651-3aaa2966847a","name":"CLIENT2","type":"winlogbeat","version":"7.10.2"},"ecs":{"version":"1.5.0"},"event":{"action":"File created (rule: FileCreate)","category":["file"],"code":11,"created":"2025-01-08T15:40:26.464Z","kind":"event","module":"sysmon","provider":"Microsoft-Windows-Sysmon","type":["creation"]},"file":{"directory":"C:\\Python37\\Lib\\site-packages\\future\\moves\\tkinter","extension":"py","name":"simpledialog.py","path":"C:\\Python37\\Lib\\site-packages\\future\\moves\\tkinter\\simpledialog.py"},"host":{"name":"CLIENT2.breach.local"},"log":{"level":"information"},"message":"File created:\nRuleName: -\nUtcTime: 2025-01-08 15:07:55.919\nProcessGuid: {416dd0c5-9495-677e-8605-000000001300}\nProcessId: 7824\nImage: C:\\Python37\\python.exe\nTargetFilename: C:\\Python37\\Lib\\site-packages\\future\\moves\\tkinter\\simpledialog.py\nCreationUtcTime: 2025-01-08 15:07:55.919\nUser: BREACH\\client2","process":{"entity_id":"{416dd0c5-9495-677e-8605-000000001300}","executable":"C:\\Python37\\python.exe","name":"python.exe","pid":7824},"winlog":{"api":"wineventlog","channel":"Microsoft-Windows-Sysmon/Operational","computer_name":"CLIENT2.breach.local","event_data":{"CreationUtcTime":"2025-01-08 15:07:55.919","RuleName":"-","User":"BREACH\\client2"},"event_id":11,"opcode":"Info","process":{"pid":2912,"thread":{"id":3340}},"provider_guid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","provider_name":"Microsoft-Windows-Sysmon","record_id":4104297,"task":"File created (rule: FileCreate)","user":{"domain":"NT AUTHORITY","identifier":"S-1-5-18","name":"SYSTEM","type":"User"},"version":2}}
{"@timestamp":"2025-01-08T15:07:55.919Z","agent":{"ephemeral_id":"3a034773-a006-42a9-ba5e-005455f1a4d4","hostname":"CLIENT2","id":"c35095e9-5f9f-4084-a651-3aaa2966847a","name":"CLIENT2","type":"winlogbeat","version":"7.10.2"},"ecs":{"version":"1.5.0"},"event":{"action":"File created (rule: FileCreate)","category":["file"],"code":11,"created":"2025-01-08T15:40:26.464Z","kind":"event","module":"sysmon","provider":"Microsoft-Windows-Sysmon","type":["creation"]},"file":{"directory":"C:\\Python37\\Lib\\site-packages\\future\\moves\\tkinter","extension":"py","name":"tix.py","path":"C:\\Python37\\Lib\\site-packages\\future\\moves\\tkinter\\tix.py"},"host":{"name":"CLIENT2.breach.local"},"log":{"level":"information"},"message":"File created:\nRuleName: -\nUtcTime: 2025-01-08 15:07:55.919\nProcessGuid: {416dd0c5-9495-677e-8605-000000001300}\nProcessId: 7824\nImage: C:\\Python37\\python.exe\nTargetFilename: C:\\Python37\\Lib\\site-packages\\future\\moves\\tkinter\\tix.py\nCreationUtcTime: 2025-01-08 15:07:55.919\nUser: BREACH\\client2","process":{"entity_id":"{416dd0c5-9495-677e-8605-000000001300}","executable":"C:\\Python37\\python.exe","name":"python.exe","pid":7824},"winlog":{"api":"wineventlog","channel":"Microsoft-Windows-Sysmon/Operational","computer_name":"CLIENT2.breach.local","event_data":{"CreationUtcTime":"2025-01-08 15:07:55.919","RuleName":"-","User":"BREACH\\client2"},"event_id":11,"opcode":"Info","process":{"pid":2912,"thread":{"id":3340}},"provider_guid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","provider_name":"Microsoft-Windows-Sysmon","record_id":4104298,"task":"File created (rule: FileCreate)","user":{"domain":"NT AUTHORITY","identifier":"S-1-5-18","name":"SYSTEM","type":"User"},"version":2}}

Snippet of labeled Auditbeat logs from system_labels/internal_server/malicious_events_class_1.jsonl

{"@timestamp":"2025-01-10T11:34:09.080Z","agent":{"ephemeral_id":"0da8a945-02be-47ab-a96c-cd3228b1c2a2","hostname":"internalserver","id":"0c6be854-cf11-4010-bd2d-db379ff1a78d","type":"auditbeat","version":"7.3.2"},"auditd":{"data":{"a0":"7ffd46dcae80","a1":"80000","a2":"7ff172c0d000","a3":"10","arch":"x86_64","exit":"ENOENT","syscall":"open","tty":"(none)"},"message_type":"syscall","paths":[{"item":"0","name":"/usr/lib/x86_64/libnss_db.so.2","nametype":"UNKNOWN"}],"result":"fail","sequence":428929610,"summary":{"actor":{"primary":"unset","secondary":"root"},"how":"/usr/sbin/sshd","object":{"primary":"/usr/lib/x86_64/libnss_db.so.2","type":"file"}}},"ecs":{"version":"1.0.1"},"event":{"action":"opened-file","category":"audit-rule","module":"auditd","outcome":"failure"},"file":{"path":"/usr/lib/x86_64/libnss_db.so.2"},"host":{"architecture":"x86_64","containerized":false,"hostname":"internalserver","id":"d93c0b0a349396e0918b270e6762f691","name":"internalserver","os":{"codename":"xenial","family":"debian","kernel":"4.4.0-142-generic","name":"Ubuntu","platform":"ubuntu","version":"16.04.6 LTS (Xenial Xerus)"}},"process":{"executable":"/usr/sbin/sshd","name":"sshd","pid":26186,"ppid":694,"title":"/usr/sbin/sshd -D"},"service":{"type":"auditd"},"tags":["open"],"user":{"effective":{"group":{"id":"0","name":"root"},"id":"0","name":"root"},"filesystem":{"group":{"id":"0","name":"root"},"id":"0","name":"root"},"group":{"id":"0","name":"root"},"id":"0","name":"root","saved":{"group":{"id":"0","name":"root"},"id":"0","name":"root"}}}
{"@timestamp":"2025-01-10T11:34:09.080Z","agent":{"ephemeral_id":"0da8a945-02be-47ab-a96c-cd3228b1c2a2","hostname":"internalserver","id":"0c6be854-cf11-4010-bd2d-db379ff1a78d","type":"auditbeat","version":"7.3.2"},"auditd":{"data":{"a0":"7ffd46dcae80","a1":"80000","a2":"7ff172c0d000","a3":"10","arch":"x86_64","exit":"ENOENT","syscall":"open","tty":"(none)"},"message_type":"syscall","paths":[{"item":"0","name":"/usr/lib/x86_64-linux-gnu/libnss_db.so.2","nametype":"UNKNOWN"}],"result":"fail","sequence":428929603,"summary":{"actor":{"primary":"unset","secondary":"root"},"how":"/usr/sbin/sshd","object":{"primary":"/usr/lib/x86_64-linux-gnu/libnss_db.so.2","type":"file"}}},"ecs":{"version":"1.0.1"},"event":{"action":"opened-file","category":"audit-rule","module":"auditd","outcome":"failure"},"file":{"path":"/usr/lib/x86_64-linux-gnu/libnss_db.so.2"},"host":{"architecture":"x86_64","containerized":false,"hostname":"internalserver","id":"d93c0b0a349396e0918b270e6762f691","name":"internalserver","os":{"codename":"xenial","family":"debian","kernel":"4.4.0-142-generic","name":"Ubuntu","platform":"ubuntu","version":"16.04.6 LTS (Xenial Xerus)"}},"process":{"executable":"/usr/sbin/sshd","name":"sshd","pid":26186,"ppid":694,"title":"/usr/sbin/sshd -D"},"service":{"type":"auditd"},"tags":["open"],"user":{"effective":{"group":{"id":"0","name":"root"},"id":"0","name":"root"},"filesystem":{"group":{"id":"0","name":"root"},"id":"0","name":"root"},"group":{"id":"0","name":"root"},"id":"0","name":"root","saved":{"group":{"id":"0","name":"root"},"id":"0","name":"root"}}}