diff --git a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log
index da16487b..330b1768 100644
--- a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log
+++ b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c0edf045b5e5ed56ce67dd3ecd98c2fbfe7b346f8926318c76f268cf87890a1e
-size 29506
+oid sha256:1b55de42ceedaf4f7849337db406a7bfffeaa2d723f88b1f601e5e9278b97e4b
+size 42676
diff --git a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml
index 56570fac..6f9312c4 100644
--- a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml
+++ b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml
@@ -8,5 +8,8 @@ dataset:
 sourcetypes:
 - o365:management:activity
 references:
+- https://learn.microsoft.com/en-us/purview/audit-get-started#step-3-enable-searchqueryinitiated-events
+- https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf
 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
-- https://attack.mitre.org/techniques/T1213/002/
\ No newline at end of file
+- https://attack.mitre.org/techniques/T1213/002/
+- https://attack.mitre.org/techniques/T1114/002/