diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 73c397104..c97850cc4 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1556,9 +1556,24 @@ soc:
           - name: Wazuh/OSSEC
             description: Wazuh/OSSEC HIDS alerts and logs
             query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full'
-          - name: Sysmon
-            description: Sysmon logs
-            query: 'event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line'
+          - name: Sysmon Overview
+            description: Overview of all Sysmon data types
+            query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port'
+          - name: Sysmon Registry
+            description: Registry changes captured by Sysmon
+            query: '(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject'
+          - name: Sysmon DNS
+            description: DNS queries captured by Sysmon
+            query: 'event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name'
+          - name: Sysmon Process
+            description: Process activity captured by Sysmon
+            query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable'
+          - name: Sysmon File
+            description: File activity captured by Sysmon
+            query: '(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable'
+          - name: Sysmon Network
+            description: Network activity captured by Sysmon
+            query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port destination_geo.organization_name | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
           - name: Strelka
             description: Strelka logs
             query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source'