diff --git a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log
new file mode 100644
index 00000000..da16487b
--- /dev/null
+++ b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c0edf045b5e5ed56ce67dd3ecd98c2fbfe7b346f8926318c76f268cf87890a1e
+size 29506
diff --git a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml
new file mode 100644
index 00000000..56570fac
--- /dev/null
+++ b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml
@@ -0,0 +1,12 @@
+author: Steven Dick
+id: 722e396e-9e74-4516-882d-0fc94f5d2b33
+date: '2024-12-19'
+description: 'Sample of events when Sharepoint is searched for a sensitive term / or high rate of searching.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log
+sourcetypes:
+- o365:management:activity
+references:
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
+- https://attack.mitre.org/techniques/T1213/002/
\ No newline at end of file