From 533322e3b5ff37db92cc748d6d52e45d3daa920b Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bpatel@splunk.com>
Date: Thu, 22 Jan 2026 23:02:11 +0530
Subject: [PATCH] updating to new folder

---
 .../T1071.004/long_dns_query/atomic_red_team.yml    | 13 +++++++++++++
 .../long_dns_query}/dns-sysmon.log                  |  0
 2 files changed, 13 insertions(+)
 create mode 100644 datasets/attack_techniques/T1071.004/long_dns_query/atomic_red_team.yml
 rename datasets/attack_techniques/{T1021.002/atomic_red_team => T1071.004/long_dns_query}/dns-sysmon.log (100%)

diff --git a/datasets/attack_techniques/T1071.004/long_dns_query/atomic_red_team.yml b/datasets/attack_techniques/T1071.004/long_dns_query/atomic_red_team.yml
new file mode 100644
index 00000000..9f61dbe4
--- /dev/null
+++ b/datasets/attack_techniques/T1071.004/long_dns_query/atomic_red_team.yml
@@ -0,0 +1,13 @@
+author: Bhavin Patel, Splunk
+id: d1c13a02-9fa8-4d72-8e80-a75db51ed88e
+date: '2026-01-22'
+description: 'Contains DNS query data from the windows machine where powershell is trying to make a query to a long domain name'
+environment: attack_range
+directory: atomic_red_team
+mitre_technique:
+- T1071.004
+datasets:
+- name: dns-sysmon
+  path: /datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/attack_techniques/T1021.002/atomic_red_team/dns-sysmon.log b/datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log
similarity index 100%
rename from datasets/attack_techniques/T1021.002/atomic_red_team/dns-sysmon.log
rename to datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log