diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 8b78f2e91..5905434ed 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1064,6 +1064,15 @@ soc:
         -  event.action
         -  event.outcome
         -  event.dataset
+      ':system:':
+        -  soc_timestamp
+        -  process.name
+        -  process.pid
+        -  user.effective.name
+        -  user.name
+        -  system.auth.sudo.command
+        -  event.dataset
+        -  message
     server:
       bindAddress: 0.0.0.0:9822
       baseUrl: /