diff --git a/datasets/malware/notdoor/disable_dialogs/disable_dialogs.yml b/datasets/malware/notdoor/disable_dialogs/disable_dialogs.yml
new file mode 100644
index 00000000..17cfd782
--- /dev/null
+++ b/datasets/malware/notdoor/disable_dialogs/disable_dialogs.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 1e606a99-47d9-4f89-8aab-a00bc7c38e63
+date: '2025-09-09'
+description: logs from NotDoor malware execution
+environment: attack_range
+directory: disable_dialogs
+datasets:
+- name: windows-sysmon
+  path: /datasets/malware/notdoor/disable_dialogs/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/malware/notdoor/disable_dialogs/windows-sysmon.log b/datasets/malware/notdoor/disable_dialogs/windows-sysmon.log
new file mode 100644
index 00000000..4937d5fd
--- /dev/null
+++ b/datasets/malware/notdoor/disable_dialogs/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cc9a6bb62770ced26341092729f79f256b5a1a16d85b3fea2dd5c992fc0d190f
+size 3633
diff --git a/datasets/malware/notdoor/loadmacroprovideronboot/loadmacroprovideronboot.yml b/datasets/malware/notdoor/loadmacroprovideronboot/loadmacroprovideronboot.yml
new file mode 100644
index 00000000..c8fd618e
--- /dev/null
+++ b/datasets/malware/notdoor/loadmacroprovideronboot/loadmacroprovideronboot.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: f67a778d-f7a5-4352-941b-daf2a5919167
+date: '2025-09-09'
+description: logs from NotDoor malware execution
+environment: attack_range
+directory: loadmacroprovideronboot
+datasets:
+- name: windows-sysmon
+  path: /datasets/malware/notdoor/loadmacroprovideronboot/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/malware/notdoor/loadmacroprovideronboot/windows-sysmon.log b/datasets/malware/notdoor/loadmacroprovideronboot/windows-sysmon.log
new file mode 100644
index 00000000..f04c30da
--- /dev/null
+++ b/datasets/malware/notdoor/loadmacroprovideronboot/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1b47a4814f43b986d8f53e525f1adfb759cb8b67e80df57a691bd6f3ae60b678
+size 1417
diff --git a/datasets/malware/notdoor/macro_security_level/macro_security_level.yml b/datasets/malware/notdoor/macro_security_level/macro_security_level.yml
new file mode 100644
index 00000000..e2f8a2b7
--- /dev/null
+++ b/datasets/malware/notdoor/macro_security_level/macro_security_level.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 0cd14ec6-4fcb-437c-aeee-0f04007c55fa
+date: '2025-09-09'
+description: logs from NotDoor malware execution
+environment: attack_range
+directory: macro_security_level
+datasets:
+- name: windows-sysmon
+  path: /datasets/malware/notdoor/macro_security_level/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/malware/notdoor/macro_security_level/windows-sysmon.log b/datasets/malware/notdoor/macro_security_level/windows-sysmon.log
new file mode 100644
index 00000000..f4cbaef7
--- /dev/null
+++ b/datasets/malware/notdoor/macro_security_level/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:77cf15b3359975a879ce8e890884d36728907abbbdc2f0be9b48e747ce1a1fd4
+size 1408
diff --git a/datasets/malware/notdoor/outlook_macro/outlook_macro.yml b/datasets/malware/notdoor/outlook_macro/outlook_macro.yml
new file mode 100644
index 00000000..f05a5025
--- /dev/null
+++ b/datasets/malware/notdoor/outlook_macro/outlook_macro.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 62f29b0e-692f-4dca-a17a-98809d1a40fe
+date: '2025-09-09'
+description: logs from NotDoor malware execution
+environment: attack_range
+directory: outlook_macro
+datasets:
+- name: windows-sysmon
+  path: /datasets/malware/notdoor/outlook_macro/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/malware/notdoor/outlook_macro/windows-sysmon.log b/datasets/malware/notdoor/outlook_macro/windows-sysmon.log
new file mode 100644
index 00000000..031fda78
--- /dev/null
+++ b/datasets/malware/notdoor/outlook_macro/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b77d784369294d71581012bc729013271ca23ad5a39f7509676ba9bd12e75094
+size 1376