diff --git a/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json
new file mode 100644
index 00000000..a8555dad
--- /dev/null
+++ b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8f409ace084c2caa5bb3644512a91100e957c1cf4271a1026d83710740ed5b6b
+size 3103
diff --git a/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml
new file mode 100644
index 00000000..32cbbffc
--- /dev/null
+++ b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 38e470fb-3c73-42c5-a5e6-47838df5e62e
+date: '2023-12-07'
+description: Kubernetes audit logs which contains pulling a image.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1526