From 9b89fb91cc5d92037548ca7503a4baf3fb32d470 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 24 Mar 2026 11:32:43 +0100 Subject: [PATCH 01/12] gh0st --- .../T1112/remote_access_reg/remote_access_reg.log | 3 +++ .../T1112/remote_access_reg/remote_access_reg.yml | 13 +++++++++++++ .../random_dll_extension/random_dll_extension.yml | 13 +++++++++++++ .../random_dll_extension/random_dll_rundll32.log | 3 +++ 4 files changed, 32 insertions(+) create mode 100644 datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.log create mode 100644 datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.yml create mode 100644 datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_extension.yml create mode 100644 datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_rundll32.log diff --git a/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.log b/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.log new file mode 100644 index 00000000..e7ff83f3 --- /dev/null +++ b/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6dcdb8e7f63ec337464ed69e3e2e197d9bda49339f33c903fc111189ac253d4f +size 5484 diff --git a/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.yml b/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.yml new file mode 100644 index 00000000..9e857498 --- /dev/null +++ b/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: cd569370-2768-11f1-9dd5-629be353806a +date: '2026-03-24' +description: Generated datasets for remote access reg in attack range. +environment: attack_range +directory: remote_access_reg +mitre_technique: +- T1112 +datasets: +- name: remote_access_reg.log + path: /datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.log + sourcetype: 'XmlWinEventLog' + source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' \ No newline at end of file diff --git a/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_extension.yml b/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_extension.yml new file mode 100644 index 00000000..012e862a --- /dev/null +++ b/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_extension.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: 9fd9defc-2768-11f1-9dd5-629be353806a +date: '2026-03-24' +description: Generated datasets for random dll extension in attack range. +environment: attack_range +directory: random_dll_extension +mitre_technique: +- T1218.011 +datasets: +- name: random_dll_rundll32.log + path: /datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_rundll32.log + sourcetype: 'XmlWinEventLog' + source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' \ No newline at end of file diff --git a/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_rundll32.log b/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_rundll32.log new file mode 100644 index 00000000..0451f752 --- /dev/null +++ b/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_rundll32.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fcab984bb700abbd3fd27a150cbd70b907f608ea177c3487cb04796946f2e614 +size 8253 From 66cfe427fb2723cbfae82daf361fe42c27b26171 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 27 Mar 2026 14:34:27 +0530 Subject: [PATCH 02/12] ading rdp dataset (#1146) * ading rdp dataset * adding new events * adding new log files * new events --- .../cisco_secure_access/firewall/firewall.yml | 29 +++++++++++++++++++ .../firewall/large_icmp.log | 3 ++ .../cisco_secure_access/firewall/ldap.log | 3 ++ .../cisco_secure_access/firewall/nmap.log | 3 ++ .../firewall/outbound_smb.log | 3 ++ .../firewall/rdp_brute_force.log | 3 ++ 6 files changed, 44 insertions(+) create mode 100644 datasets/cisco_secure_access/firewall/firewall.yml create mode 100644 datasets/cisco_secure_access/firewall/large_icmp.log create mode 100644 datasets/cisco_secure_access/firewall/ldap.log create mode 100644 datasets/cisco_secure_access/firewall/nmap.log create mode 100644 datasets/cisco_secure_access/firewall/outbound_smb.log create mode 100644 datasets/cisco_secure_access/firewall/rdp_brute_force.log diff --git a/datasets/cisco_secure_access/firewall/firewall.yml b/datasets/cisco_secure_access/firewall/firewall.yml new file mode 100644 index 00000000..6b3d0517 --- /dev/null +++ b/datasets/cisco_secure_access/firewall/firewall.yml @@ -0,0 +1,29 @@ +author: Bhavin Patel, Splunk +id: 1fc537db-5e0b-4a2e-a768-27e08eff0c70 +date: '2026-03-19' +description: | + Generated datasets for Cisco Secure Access Firewall EventType by manual /atomic-red team simulations in a K8s cluster running Tetragon +environment: custom +directory: cisco_secure_access/firewall +mitre_technique: [] +datasets: +- name: firewall + path: /datasets/cisco_secure_access/firewall/rdp_brute_force.log + sourcetype: cisco:secure_access:firewall + source: cisco_secure_access:firewall +- name: large_icmp + path: /datasets/cisco_secure_access/firewall/large_icmp.log + sourcetype: cisco:secure_access:firewall + source: cisco_secure_access:firewall +- name: ldap + path: /datasets/cisco_secure_access/firewall/ldap.log + sourcetype: cisco:secure_access:firewall + source: cisco_secure_access:firewall +- name: outbound_smb + path: /datasets/cisco_secure_access/firewall/outbound_smb.log + sourcetype: cisco:secure_access:firewall + source: cisco_secure_access:firewall +- name: nmap + path: /datasets/cisco_secure_access/firewall/nmap.log + sourcetype: cisco:secure_access:firewall + source: cisco_secure_access:firewall \ No newline at end of file diff --git a/datasets/cisco_secure_access/firewall/large_icmp.log b/datasets/cisco_secure_access/firewall/large_icmp.log new file mode 100644 index 00000000..ece48f82 --- /dev/null +++ b/datasets/cisco_secure_access/firewall/large_icmp.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b7494c86cf3fad8ea5a8f37bb3d21b4d7c4aba694e1973f4f5a9207389786690 +size 428 diff --git a/datasets/cisco_secure_access/firewall/ldap.log b/datasets/cisco_secure_access/firewall/ldap.log new file mode 100644 index 00000000..39caead1 --- /dev/null +++ b/datasets/cisco_secure_access/firewall/ldap.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ca284e10d3834a2b6e56116bfb2078cc690eabf05f1b37aff3714d92fc66406c +size 423 diff --git a/datasets/cisco_secure_access/firewall/nmap.log b/datasets/cisco_secure_access/firewall/nmap.log new file mode 100644 index 00000000..1986398a --- /dev/null +++ b/datasets/cisco_secure_access/firewall/nmap.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5fb3007ad740d51c5af4b6e7b5e5750e9ef833ace9d2c14d325179f834c05981 +size 135478 diff --git a/datasets/cisco_secure_access/firewall/outbound_smb.log b/datasets/cisco_secure_access/firewall/outbound_smb.log new file mode 100644 index 00000000..e7561ff1 --- /dev/null +++ b/datasets/cisco_secure_access/firewall/outbound_smb.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1285ed5919c3395964f748be9289448a510baf931c16e7f46666f60c143b695a +size 9337 diff --git a/datasets/cisco_secure_access/firewall/rdp_brute_force.log b/datasets/cisco_secure_access/firewall/rdp_brute_force.log new file mode 100644 index 00000000..4690ad63 --- /dev/null +++ b/datasets/cisco_secure_access/firewall/rdp_brute_force.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:82fc54be49df5a1635be5c8b101c56ae68347e0e7f91f8c39439e5b673030e88 +size 4605 From 149cb92a0e4d30fed138ff9d68bc3bd0957072e1 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Fri, 27 Mar 2026 15:02:02 +0100 Subject: [PATCH 03/12] ghost_dll --- .../rundll32_random_dll_ext.yml | 13 +++++++++++++ .../rundll32_random_dll_ext/rundll32_random_ext.log | 3 +++ 2 files changed, 16 insertions(+) create mode 100644 datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_dll_ext.yml create mode 100644 datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_ext.log diff --git a/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_dll_ext.yml b/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_dll_ext.yml new file mode 100644 index 00000000..a3c21d29 --- /dev/null +++ b/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_dll_ext.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: 6845d30e-29e5-11f1-a458-629be353806a +date: '2026-03-27' +description: Generated datasets for rundll32 random dll ext in attack range. +environment: attack_range +directory: rundll32_random_dll_ext +mitre_technique: +- T1218.011 +datasets: +- name: rundll32_random_ext.log + path: /datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_ext.log + sourcetype: 'XmlWinEventLog' + source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' \ No newline at end of file diff --git a/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_ext.log b/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_ext.log new file mode 100644 index 00000000..fa955180 --- /dev/null +++ b/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_ext.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:35ff5c023ba0d709145e91fb3623b3563e094fa065c3e5b181b11a0504212d45 +size 5620 From 13c7e2792c4a43c4f399193f9371b83a28d18bcd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Fri, 27 Mar 2026 15:23:17 +0100 Subject: [PATCH 04/12] update replay script error handling and coldfusion log entry (#1149) --- bin/replay.py | 46 ++++++++++++++++++- .../T1190/adobe/coldfusion_cve_2023_29298.log | 4 +- 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/bin/replay.py b/bin/replay.py index e705e9a4..01a4c5d2 100644 --- a/bin/replay.py +++ b/bin/replay.py @@ -109,8 +109,50 @@ def send_data_to_splunk(file_path, splunk_host, hec_token, event_host_uuid, headers=headers, verify=False, ) - res.raise_for_status() - print(f":white_check_mark: Sent {file_path} to Splunk HEC") + if res.ok: + print(f":white_check_mark: Sent {file_path} to Splunk HEC") + return + + print( + f":x: Error sending {file_path} to Splunk HEC: " + f"HTTP {res.status_code}" + ) + + try: + response_data = res.json() + hec_code = response_data.get("code") + hec_text = response_data.get("text") + print(f" Splunk HEC response: code={hec_code}, text={hec_text}") + + if hec_code == 7: + print( + " Hint: incorrect index. " + "Use --index-override or create attack_data index." + ) + elif hec_code == 4: + print( + " Hint: invalid HEC token. " + "Verify SPLUNK_HEC_TOKEN and token status in Splunk." + ) + elif hec_code == 6: + print( + " Hint: invalid data format. " + "Check sourcetype/source values and file content." + ) + elif hec_code == 10: + print( + " Hint: data channel missing/invalid. " + "Check HEC indexer acknowledgment settings." + ) + except ValueError: + print(f" Splunk HEC raw response: {res.text.strip()}") + + print(f" URL: {res.url}") + print( + " Metadata: " + f"index={index}, source={source}, sourcetype={sourcetype}, " + f"host={event_host_uuid}" + ) except Exception as e: print(f":x: Error sending {file_path} to Splunk HEC: {e}") diff --git a/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log b/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log index cfb51d77..1ba7ddfb 100644 --- a/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log +++ b/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d34969d4c57f0b8e5aca752000ecde9a8d58d32c04dee8362f64ac85f0642410 -size 349225 +oid sha256:421d300cd9e7ef923752e23f0487de20f2280da9fc7a56d3ffc43ece1698a886 +size 349743 From 63dc60602d2712555e696e43081c4b93daee3374 Mon Sep 17 00:00:00 2001 From: nasbench Date: Fri, 27 Mar 2026 15:26:54 +0100 Subject: [PATCH 05/12] small fix --- .../T1190/adobe/coldfusion_cve_2023_29298.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log b/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log index 1ba7ddfb..2beb1442 100644 --- a/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log +++ b/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:421d300cd9e7ef923752e23f0487de20f2280da9fc7a56d3ffc43ece1698a886 -size 349743 +oid sha256:b0346d6c43ebe1eb1c14c6dd49e1148655310f883424ad40540e32a1ca31a7f8 +size 349769 From d649fe0bd5ee8b08b349af48821f971a745dac3a Mon Sep 17 00:00:00 2001 From: Jake Enea <91490989+jakeenea51@users.noreply.github.com> Date: Sun, 29 Mar 2026 17:02:10 -0400 Subject: [PATCH 06/12] adding intune bulk wipe dataset --- .../microsoft_intune_bulk_wipe.log | 3 +++ .../microsoft_intune_bulk_wipe.yml | 11 +++++++++++ 2 files changed, 14 insertions(+) create mode 100644 datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log create mode 100644 datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.yml diff --git a/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log b/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log new file mode 100644 index 00000000..7b5263d9 --- /dev/null +++ b/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a1ceda0afc580ecf7e761e44aa109e9b1f1d52e529e9c4fe72ad2d950512c227 +size 13001 diff --git a/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.yml b/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.yml new file mode 100644 index 00000000..100c6500 --- /dev/null +++ b/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.yml @@ -0,0 +1,11 @@ +author: Jake Enea +id: 4a5c3288-8391-4e80-9c3d-9dbb60ed1c45 +date: '2026-03-29' +description: The following data contains simulated bulk Intune "wipe ManagedDevice" events from the Intune admin portal. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log +sourcetypes: +- azure:monitor:activity +references: +- https://www.lumos.com/blog/stryker-hack \ No newline at end of file From 760e109567c205c425a85174a829a8e3bd36daa5 Mon Sep 17 00:00:00 2001 From: Jake Enea <91490989+jakeenea51@users.noreply.github.com> Date: Mon, 30 Mar 2026 14:02:13 -0400 Subject: [PATCH 07/12] fixing yaml for intune bulk wipe dataset --- .../microsoft_intune_bulk_wipe.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.yml b/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.yml index 100c6500..67a01748 100644 --- a/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.yml +++ b/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.yml @@ -3,9 +3,11 @@ id: 4a5c3288-8391-4e80-9c3d-9dbb60ed1c45 date: '2026-03-29' description: The following data contains simulated bulk Intune "wipe ManagedDevice" events from the Intune admin portal. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log -sourcetypes: -- azure:monitor:activity -references: -- https://www.lumos.com/blog/stryker-hack \ No newline at end of file +directory: microsoft_intune_bulk_wipe +mitre_technique: +- T1561.001 +datasets: +- name: microsoft_intune_bulk_wipe + path: /datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log + sourcetype: azure:monitor:activity + source: not_applicable \ No newline at end of file From d1494fc37856cdb629b24cdc7367f95f61491f59 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 14 Apr 2026 12:49:10 +0200 Subject: [PATCH 08/12] fix log (#1152) --- .../T1546.004/linux_init_profile/sysmon_linux.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log b/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log index 32b7bf28..1e57d6f0 100644 --- a/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log +++ b/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:59f5610ee967b523d0fce69becd3186d3f09e09d17997ce92b3f2fad3b1f1591 -size 42440575 +oid sha256:f76f57656b91fc280f284466f9e1af286c5afe11f565cb6e1a5d134a848180e0 +size 42441476 From 1213a9d30021099d403ea93aaa54679e149798c1 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 15 Apr 2026 19:17:32 +0530 Subject: [PATCH 09/12] adding a new dataset (#1153) --- .../cisco_secure_access/firewall/firewall.yml | 24 +++++++++++-------- datasets/cisco_secure_access/firewall/smb.log | 3 +++ 2 files changed, 17 insertions(+), 10 deletions(-) create mode 100644 datasets/cisco_secure_access/firewall/smb.log diff --git a/datasets/cisco_secure_access/firewall/firewall.yml b/datasets/cisco_secure_access/firewall/firewall.yml index 6b3d0517..b701f0e3 100644 --- a/datasets/cisco_secure_access/firewall/firewall.yml +++ b/datasets/cisco_secure_access/firewall/firewall.yml @@ -9,21 +9,25 @@ mitre_technique: [] datasets: - name: firewall path: /datasets/cisco_secure_access/firewall/rdp_brute_force.log - sourcetype: cisco:secure_access:firewall - source: cisco_secure_access:firewall + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall - name: large_icmp path: /datasets/cisco_secure_access/firewall/large_icmp.log - sourcetype: cisco:secure_access:firewall - source: cisco_secure_access:firewall + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall - name: ldap path: /datasets/cisco_secure_access/firewall/ldap.log - sourcetype: cisco:secure_access:firewall - source: cisco_secure_access:firewall + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall - name: outbound_smb path: /datasets/cisco_secure_access/firewall/outbound_smb.log - sourcetype: cisco:secure_access:firewall - source: cisco_secure_access:firewall + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall - name: nmap path: /datasets/cisco_secure_access/firewall/nmap.log - sourcetype: cisco:secure_access:firewall - source: cisco_secure_access:firewall \ No newline at end of file + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall +- name: smb + path: /datasets/cisco_secure_access/firewall/smb.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall diff --git a/datasets/cisco_secure_access/firewall/smb.log b/datasets/cisco_secure_access/firewall/smb.log new file mode 100644 index 00000000..fed144ab --- /dev/null +++ b/datasets/cisco_secure_access/firewall/smb.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:63fdafa661f342f1869f7ea2d3ac1c95fd85533928f90af66a72b6d9b3be14f7 +size 879 From 4baf0912374aab149dabbba0af65a8b48016fa7e Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 15 Apr 2026 20:18:33 +0530 Subject: [PATCH 10/12] Secure access 1 (#1154) * adding a new dataset * updating dataset --- datasets/cisco_secure_access/firewall/ldap.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/cisco_secure_access/firewall/ldap.log b/datasets/cisco_secure_access/firewall/ldap.log index 39caead1..065af34d 100644 --- a/datasets/cisco_secure_access/firewall/ldap.log +++ b/datasets/cisco_secure_access/firewall/ldap.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ca284e10d3834a2b6e56116bfb2078cc690eabf05f1b37aff3714d92fc66406c -size 423 +oid sha256:d6d0b9e48e08b0932650e5580c60c1bf5f5deb7223868456b96d37e7c43f488a +size 427 From d30824472599507ad7a4f8db8f18d611b3b8b353 Mon Sep 17 00:00:00 2001 From: nasbench Date: Wed, 15 Apr 2026 19:58:05 +0200 Subject: [PATCH 11/12] fix source typo --- .../T1070.001/windows_event_log_cleared/data.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml index 8db767b2..66c136b3 100644 --- a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml +++ b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml @@ -1,6 +1,6 @@ author: Generated by dataset_analyzer.py id: 9c17ce79-5056-42e9-a614-4c2087471b67 -date: '2025-08-12' +date: '2026-04-15' description: Automatically categorized datasets in directory windows_event_log_cleared environment: attack_range directory: windows_event_log_cleared @@ -10,4 +10,4 @@ datasets: - name: windows-xml path: /datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Eventlog + source: XmlWinEventLog:System From e6509a2a0eb0c7b69b630b11e5887bb11d2c96d8 Mon Sep 17 00:00:00 2001 From: nasbench Date: Wed, 15 Apr 2026 20:11:48 +0200 Subject: [PATCH 12/12] split logs --- .../T1070.001/windows_event_log_cleared/data.yml | 8 ++++++-- .../windows_event_log_cleared/windows-security.log | 3 +++ .../windows_event_log_cleared/windows-system.log | 3 +++ .../T1070.001/windows_event_log_cleared/windows-xml.log | 3 --- 4 files changed, 12 insertions(+), 5 deletions(-) create mode 100644 datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-security.log create mode 100644 datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-system.log delete mode 100644 datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml index 66c136b3..d6544700 100644 --- a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml +++ b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml @@ -7,7 +7,11 @@ directory: windows_event_log_cleared mitre_technique: - T1070.001 datasets: -- name: windows-xml - path: /datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log +- name: windows-system + path: /datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-system.log sourcetype: XmlWinEventLog source: XmlWinEventLog:System +- name: windows-security + path: /datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-security.log b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-security.log new file mode 100644 index 00000000..d7f70311 --- /dev/null +++ b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-security.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd483a9c03b1cf5b10b4cc8b1500abd782da334647e93db61edee7f7040dce87 +size 878 diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-system.log b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-system.log new file mode 100644 index 00000000..d65063e9 --- /dev/null +++ b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-system.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5e5298e558860f09a89cf1a503e34d3412f2e4a6dbeb312ec44282f383d96e6f +size 878 diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log deleted file mode 100644 index f666d881..00000000 --- a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8720a4878af74ec20fdb87d9c7be80564592dcc4ef0582e8935b3d67ab9863b3 -size 1756