diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml
index a1c4d6d62..533823e6f 100644
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -12,7 +12,41 @@ transformations:
         sid: rule.uuid
         answer: answers
         query: dns.query.name
-        src_ip: destination.ip.keyword
+        src_ip: source.ip.keyword
         src_port: source.port
         dst_ip: destination.ip.keyword
-        dst_port: destination.port
\ No newline at end of file
+        dst_port: destination.port
+        winlog.event_data.User: user.name   
+    - id: hashes_process-creation
+      type: field_name_mapping
+      mapping:
+        winlog.event_data.sha256: process.hash.sha256
+        winlog.event_data.sha1: process.hash.sha1
+        winlog.event_data.md5: process.hash.md5
+        winlog.event_data.Imphash: process.pe.imphash
+      rule_conditions:
+      - type: logsource
+        product: windows
+        category: process_creation
+    - id: hashes_image-load
+      type: field_name_mapping
+      mapping:
+        winlog.event_data.sha256: dll.hash.sha256
+        winlog.event_data.sha1: dll.hash.sha1
+        winlog.event_data.md5: dll.hash.md5
+        winlog.event_data.Imphash: dll.pe.imphash
+      rule_conditions:
+      - type: logsource
+        product: windows
+        category: image_load
+    - id: hashes_driver-load
+      type: field_name_mapping
+      mapping:
+        winlog.event_data.sha256: dll.hash.sha256
+        winlog.event_data.sha1: dll.hash.sha1
+        winlog.event_data.md5: dll.hash.md5
+        winlog.event_data.Imphash: dll.pe.imphash
+      rule_conditions:
+      - type: logsource
+        product: windows
+        category: driver_load
\ No newline at end of file