diff --git a/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json b/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json
new file mode 100644
index 00000000..b8c1f84e
--- /dev/null
+++ b/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d68b80ba023d2328e33684e983fbf7ab019deafc749080874dd599bbda704a5e
+size 2977
diff --git a/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml b/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml
index fa7b18b6..36e5957a 100644
--- a/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml
+++ b/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml
@@ -6,6 +6,7 @@ description: This search looks for CloudTrail events where a user created a poli
 environment: Cloud Attack Range
 dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json
 sourcetypes:
 - aws:cloudtrail
 references:
diff --git a/datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json b/datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json
new file mode 100644
index 00000000..34add83a
--- /dev/null
+++ b/datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:59fa726e33568f3e2896ff6675c034f53f69183e7f05219e28d64498ef028531
+size 2739
diff --git a/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml b/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml
index 34315841..618e60f4 100644
--- a/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml
+++ b/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml
@@ -9,6 +9,7 @@ environment: Cloud Attack Range
 dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/amazon_security_lake.json
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/asl_ocsf_cloudtrail.json
 sourcetypes:
 - aws:cloudtrail
 - aws:asl
diff --git a/datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json b/datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json
new file mode 100644
index 00000000..a9859776
--- /dev/null
+++ b/datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c7f16b51efd6a80ebb9beeeab3a2f64f94aed6a2a852706f9063e03e6653e38a
+size 14377
diff --git a/datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json b/datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json
new file mode 100644
index 00000000..b92a8127
--- /dev/null
+++ b/datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:10cd7f9d56f9c05fefa70c6fb455b012b441b372317b4aa8fe7cbd4236b113dd
+size 40040