diff --git a/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml
index b89e37c5..4eab8994 100644
--- a/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml
+++ b/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml
@@ -8,7 +8,11 @@ directory: atomic_red_team
 mitre_technique:
 - T1140
 datasets:
-- name: windows-sysmon
-  path: /datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log
-  sourcetype: XmlWinEventLog
-  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  - name: windows-sysmon
+    path: /datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log
+    sourcetype: XmlWinEventLog
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  - name: expand_windows-sysmon
+    path: /datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log
+    sourcetype: XmlWinEventLog
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log b/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log
new file mode 100644
index 00000000..e4423d89
--- /dev/null
+++ b/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:183204efd8001f652380ba1ae77789782e5934b1e5ffc7c079bb346bbb049342
+size 31869