diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index cb7d400a00..49be076c05 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -69,7 +69,7 @@ soc:
         - log.id.uid
         - network.community_id
         - event.dataset
-      ':kratos:kratos.audit':
+      ':kratos:audit':
         - soc_timestamp
         - http_request.headers.x-real-ip
         - identity_id
@@ -570,14 +570,13 @@ soc:
         - destination.geo.country_iso_code
         - user.name
         - source.ip
-      ':windows.sysmon_operational:':
+      '::sysmon_operational':
         - soc_timestamp
         - event.action
-        - process.executable
+        - winlog.computer_name
         - user.name
-        - file.target
-        - dns.question.name
-        - winlog.event_data.TargetObject
+        - process.executable
+        - process.pid
       '::network_connection':
         - soc_timestamp
         - source.ip