From 999ddf36de7b1859a67c49d4dea6fe5a4dac2dc1 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Fri, 19 Sep 2025 09:08:46 -0600
Subject: [PATCH] Expand Sysmon

---
 .../T1140/atomic_red_team/atomic_red_team.yml        | 12 ++++++++----
 .../T1140/atomic_red_team/expand_windows-sysmon.log  |  3 +++
 2 files changed, 11 insertions(+), 4 deletions(-)
 create mode 100644 datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log

diff --git a/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml
index b89e37c5..4eab8994 100644
--- a/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml
+++ b/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml
@@ -8,7 +8,11 @@ directory: atomic_red_team
 mitre_technique:
 - T1140
 datasets:
-- name: windows-sysmon
-  path: /datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log
-  sourcetype: XmlWinEventLog
-  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  - name: windows-sysmon
+    path: /datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log
+    sourcetype: XmlWinEventLog
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  - name: expand_windows-sysmon
+    path: /datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log
+    sourcetype: XmlWinEventLog
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log b/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log
new file mode 100644
index 00000000..e4423d89
--- /dev/null
+++ b/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:183204efd8001f652380ba1ae77789782e5934b1e5ffc7c079bb346bbb049342
+size 31869