From 3d4fd08547a32d713480e8e48f04e39fe6216182 Mon Sep 17 00:00:00 2001
From: bryant-treacle <treacle.bryant@gmail.com>
Date: Tue, 8 Aug 2023 15:28:06 -0400
Subject: [PATCH 1/2] Update defaults.yaml

---
 salt/soc/defaults.yaml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index cb7d400a00..f97089e027 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -570,14 +570,13 @@ soc:
         - destination.geo.country_iso_code
         - user.name
         - source.ip
-      ':windows.sysmon_operational:':
+      '::sysmon_operational':
         - soc_timestamp
         - event.action
-        - process.executable
+        - winlog.computer_name
         - user.name
-        - file.target
-        - dns.question.name
-        - winlog.event_data.TargetObject
+        - process.executable
+        - process.pid
       '::network_connection':
         - soc_timestamp
         - source.ip

From 036b81707b275f96f9ed13c0021be6ee765d690b Mon Sep 17 00:00:00 2001
From: bryant-treacle <treacle.bryant@gmail.com>
Date: Tue, 8 Aug 2023 16:10:54 -0400
Subject: [PATCH 2/2] Update defaults.yaml

---
 salt/soc/defaults.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index f97089e027..49be076c05 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -69,7 +69,7 @@ soc:
         - log.id.uid
         - network.community_id
         - event.dataset
-      ':kratos:kratos.audit':
+      ':kratos:audit':
         - soc_timestamp
         - http_request.headers.x-real-ip
         - identity_id