fixed failed validation

Author: Patrick Bareiss

datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml

@@ -3,9 +3,11 @@ id: f4e7c8fc-c534-415b-9f99-9e9419096db5
 date: '2025-07-09'
 description: 'Sample of ESXi syslog events showing attempts to access sensitive files on the ESXi system.'
 environment: custom
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log
-sourcetypes:
-- vmw-syslog
-references:
-- https://attack.mitre.org/techniques/T1003/008
+directory: esxi_sensitive_files
+mitre_technique:
+- T1003.008
+datasets:
+- name: esxi_shell_enabled
+  path: /datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log
+  sourcetype: vmw-syslog
+  source: vmw-syslog

datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml

@@ -1,11 +1,13 @@
 author: Raven Tait, Splunk
 id: 6cbe3ac7-510d-49ab-983e-7ee504d6f386
 date: '2025-07-09'
-description: 'Sample of ESXi syslog events showing downloading of VMs from ESXi using remote tools."
+description: Sample of ESXi syslog events showing downloading of VMs from ESXi using remote tools.
 environment: custom
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log
-sourcetypes:
-- vmw-syslog
-references:
-- https://attack.mitre.org/techniques/T1005
+directory: esxi_vm_download
+mitre_technique:
+- T1005
+datasets:
+- name: vmw-syslog
+  path: /datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log
+  sourcetype: vmw-syslog
+  source: vmw-syslog

datasets/attack_techniques/T1014/medusa_rootkit/medusa.yml

@@ -3,10 +3,11 @@ id: 2481e83c-b888-4383-bc61-9d292f4e03ea
 date: '2025-08-05'
 description: Logs from usage of the Medusa rootkit on a Linux host.
 environment: custom
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/medusa_rootkit/sysmon_linux.log
-sourcetypes:
-- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-- Syslog:Linux-Sysmon/Operational
-references:
-- https://attack.mitre.org/techniques/T1014/
+directory: medusa_rootkit
+mitre_technique:
+- T1014
+datasets:
+- name: sysmon_linux
+  path: /datasets/attack_techniques/T1014/medusa_rootkit/sysmon_linux.log
+  sourcetype: sysmon:linux
+  source: Syslog:Linux-Sysmon/Operational

datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_net_discovery.yml

@@ -3,10 +3,15 @@ id: e0c0d5e5-8c29-4db3-9d27-d42f31c552f5
 date: '2025-08-15'
 description: Generated datasets for MacOS net discovery
 environment: vm
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_list_firewall_rules.log
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log
-sourcetypes:
-- osquery:results
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+directory: macos_net_discovery
+mitre_technique:
+- T1016
+datasets:
+- name: osquery:results
+  path: /datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_list_firewall_rules.log
+  sourcetype: osquery:results
+  source: osquery:results
+- name: osquery:results
+  path: /datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log
+  sourcetype: osquery:results
+  source: osquery:results

datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.yml

@@ -3,9 +3,11 @@ id: 2050c38a-6d1e-11f0-86b8-629be3538068
 date: '2025-07-30'
 description: Generated datasets for bmc creation in attack range.
 environment: attack_range
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.log
-sourcetypes:
-- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
-references:
-- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
+directory: bmc_creation
+mitre_technique:
+- T1021.001
+datasets:
+- name: windows-sysmon
+  path: /datasets/attack_techniques/T1021.001/bmc_creation/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admini.yml

@@ -3,9 +3,11 @@ id: bf432e34-6d3b-11f0-86b8-629be3538068
 date: '2025-07-30'
 description: Generated datasets for mstsc admini in attack range.
 environment: attack_range
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admin.log
-sourcetypes:
-- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
-references:
-- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
+directory: mstsc_admini
+mitre_technique:
+- T1021.001
+datasets:
+- name: windows-sysmon
+  path: /datasets/attack_techniques/T1021.001/mstsc_admini/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

datasets/attack_techniques/T1021.001/rdp_creation/rdp_creation.yml

@@ -3,9 +3,11 @@ id: 30e07cc0-6d25-11f0-86b8-629be3538068
 date: '2025-07-30'
 description: Generated datasets for rdp creation in attack range.
 environment: attack_range
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/rdp_creation/deafault_rdp_created.log
-sourcetypes:
-- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
-references:
-- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
+directory: rdp_creation
+mitre_technique:
+- T1021.001
+datasets:
+- name: windows-sysmon
+  path: /datasets/attack_techniques/T1021.001/rdp_creation/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

datasets/attack_techniques/T1021.001/rdp_session_established/rdp_session_established.yml

@@ -3,9 +3,11 @@ id: d96eb482-6dee-11f0-b544-629be3538069
 date: '2025-07-31'
 description: Generated datasets for rdp session established in attack range.
 environment: attack_range
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/rdp_session_established/4624_10_logon.log
-sourcetypes:
-- 'XmlWinEventLog:Security'
-references:
-- https://thelocalh0st.github.io/posts/rdp/
+directory: rdp_session_established
+mitre_technique:
+- T1021.001
+datasets:
+- name: windows-security
+  path: /datasets/attack_techniques/T1021.001/rdp_session_established/4624_10_logon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Security

datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_server_reg_created.yml

@@ -3,9 +3,11 @@ id: 27f7e43a-6d3a-11f0-86b8-629be3538068
 date: '2025-07-30'
 description: Generated datasets for terminal server reg created in attack range.
 environment: attack_range
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_sever_client_Reg_created.log
-sourcetypes:
-- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
-references:
-- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
+directory: terminal_server_reg_created
+mitre_technique:
+- T1021.001
+datasets:
+- name: windows-sysmon
+  path: /datasets/attack_techniques/T1021.001/terminal_server_reg_created/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

datasets/attack_techniques/T1021.001/unhide_file/unhide_file.yml

@@ -3,9 +3,11 @@ id: a2d674e4-6d3c-11f0-86b8-629be3538068
 date: '2025-07-30'
 description: Generated datasets for unhide file in attack range.
 environment: attack_range
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.log
-sourcetypes:
-- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
-references:
-- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
+directory: unhide_file
+mitre_technique:
+- T1021.001
+datasets:
+- name: windows-sysmon
+  path: /datasets/attack_techniques/T1021.001/unhide_file/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational