diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index d25af2906cbc..826533e9b4ab 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -33,6 +33,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547]
 - CEF extensions are now mapped to the data types defined in the CEF guide. {pull}14342[14342]
 - Improve ECS field mappings in panw module.  event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910]
+- Improve ECS field mappings in santa module. move hash.sha256 to process.hash.sha256 & move certificate fields to santa.certificate . {issue}16180[16180] {pull}17982[17982]
 
 *Heartbeat*
 
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index bc2db15417da..e60cd80856c0 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -28708,7 +28708,7 @@ The disk volume path.
 
 --
 
-*`certificate.common_name`*::
+*`santa.certificate.common_name`*::
 +
 --
 Common name from code signing certificate.
@@ -28717,7 +28717,7 @@ type: keyword
 
 --
 
-*`certificate.sha256`*::
+*`santa.certificate.sha256`*::
 +
 --
 SHA256 hash of code signing certificate.
diff --git a/filebeat/module/santa/_meta/fields.yml b/filebeat/module/santa/_meta/fields.yml
index fea0b03a78ce..57255dd76c8f 100644
--- a/filebeat/module/santa/_meta/fields.yml
+++ b/filebeat/module/santa/_meta/fields.yml
@@ -56,10 +56,10 @@
             - name: mount
               description: The disk volume path.
 
-    - name: certificate.common_name
-      type: keyword
-      description: Common name from code signing certificate.
+        - name: certificate.common_name
+          type: keyword
+          description: Common name from code signing certificate.
 
-    - name: certificate.sha256
-      type: keyword
-      description: SHA256 hash of code signing certificate.
+        - name: certificate.sha256
+          type: keyword
+          description: SHA256 hash of code signing certificate.
diff --git a/filebeat/module/santa/fields.go b/filebeat/module/santa/fields.go
index 06b53e41d848..cd3f44d3647e 100644
--- a/filebeat/module/santa/fields.go
+++ b/filebeat/module/santa/fields.go
@@ -32,5 +32,5 @@ func init() {
 // AssetSanta returns asset data.
 // This is the base64 encoded gzipped contents of module/santa.
 func AssetSanta() string {
-	return "eJyUk82O2jAQgO88xWhP7WFRl4o95FAphfRHBS0iK7W3yhtPiJXEE9lOW96+spMFk8QtcCJj+/s8npl7KPEYgWbSsBmAEabCCO4+Ex0qhNSG72YAHHWmRGMEyQg+zACgW4Mt8bbCGUAusOI6ckv3IFmNZ6r9mWODERwUtU0fmWCeMf3nmcUyu/EUfgWWePxNintx/MPqxiaR/EhWXvxCF3e0kYVjJvSNnnizefoeEq17IJiCme5BOBiicj6WK2T6NvUq2T+HzHtHg5wUmAJtZtrdZEJcE8dbtNuQ86lBxYyQB4cEyrsumVByocuR0u+OEfuT6wyXz/pr+i3e7ZJ437eFnnun/E4can9R1dZ4sTTQPBfY73JHvKv7nJdW/w9iM7T7oFFkKKMqgNKoBKuuonVbQbb1C6rQzTS3fwa8U+ks50G/v0r3MV3/6w1siYf3Pg/FbrdJIE3XkG7fLR8Wm6uMDhnQ5cMXP7lYM1qbxvd1LYXk8CYXFeqjNli77nsbzLKV5hZ6w0zRs14ZGSojcpExg/OM6prkT69GU+N2YVi5I44FuaIaMjtcWhyknTQfHtbqgi2Wj9ca0y/xYvkIBdOFHeKw728AAAD//5mnu+4="
+	return "eJyUk82O2jAQgO88xWhP7WFRl4o9cKiUQvqjghaRldpb5Y0nxErsiWynLW9f2UkhJPGWcCJj+/tm7Jl7KPC0AsOUZTMAK2yJK7j7THQsERIXvpsBcDSpFpUVpFbwYQYAzRrsiNclzgAygSU3K790D4pJvFDdz54qXMFRU121kRHmBdN+XlgsdRvP4X/AAk+/SfNOHP8wWbki4h/xuhO/0kUNbWDhmAoz0RNtt0/fQ6JNCwSbM9tcCAdLVMyHco3MTFOv48NzyHzwNMhIg83RVWZ8JiNiSRynaHch51OFmlmhjh4JlDVdMqLkwhQDZbc7BuxPvjN8PZuvybdov4+jQ9sWZt451e3EvvYXlbXEq6We5jnHdpc/0km9y3mpzf8grkK3DypNllIqAyiDWrDyJlqzFVQtX1CHMjPc/enxzk/nOA/m/U26j8nmtTtwT9zP+zIU+/02hiTZQLJ7t3xYbG8yemRAl/Vv/Oxi1WBtHN++ayEUhzeZKNGcjEXpu+9tsMpa2Sn0itl8pOFT1FZkImUW5ylJSepn751CY3dlW/ujngmZJgmpGzQjjspNXVfyegomZ4vl41R78iVaLB8hZyZ3wx12/w0AAP//xDi+7g=="
 }
diff --git a/filebeat/module/santa/log/ingest/pipeline.json b/filebeat/module/santa/log/ingest/pipeline.json
deleted file mode 100644
index 4eaddc753a6b..000000000000
--- a/filebeat/module/santa/log/ingest/pipeline.json
+++ /dev/null
@@ -1,71 +0,0 @@
-{
-    "description": "Pipeline for parsing Google Santa logs.",
-    "processors": [
-        {
-            "grok": {
-                "field": "message",
-                "patterns": [
-                    "\\[%{TIMESTAMP_ISO8601:process.start}\\] I santad: action=%{NOT_SEPARATOR:santa.action}\\|decision=%{NOT_SEPARATOR:santa.decision}\\|reason=%{NOT_SEPARATOR:santa.reason}\\|sha256=%{NOT_SEPARATOR:hash.sha256}\\|path=%{NOT_SEPARATOR:process.executable}(\\|args=%{NOT_SEPARATOR:process.args})?(\\|cert_sha256=%{NOT_SEPARATOR:certificate.sha256})?(\\|cert_cn=%{NOT_SEPARATOR:certificate.common_name})?\\|pid=%{NUMBER:process.pid:long}\\|ppid=%{NUMBER:process.ppid:long}\\|uid=%{NUMBER:user.id}\\|user=%{NOT_SEPARATOR:user.name}\\|gid=%{NUMBER:group.id}\\|group=%{NOT_SEPARATOR:group.name}\\|mode=%{WORD:santa.mode}",
-                    "\\[%{TIMESTAMP_ISO8601:timestamp}\\] I santad: action=%{NOT_SEPARATOR:santa.action}\\|mount=%{NOT_SEPARATOR:santa.disk.mount}\\|volume=%{NOT_SEPARATOR:santa.disk.volume}\\|bsdname=%{NOT_SEPARATOR:santa.disk.bsdname}\\|fs=%{NOT_SEPARATOR:santa.disk.fs}\\|model=%{NOT_SEPARATOR:santa.disk.model}\\|serial=%{NOT_SEPARATOR:santa.disk.serial}\\|bus=%{NOT_SEPARATOR:santa.disk.bus}\\|dmgpath=%{NOT_SEPARATOR:santa.disk.dmgpath}?"
-                ],
-                "pattern_definitions": {
-                    "NOT_SEPARATOR": "[^\\|]+"
-                }
-            }
-        },
-        {
-            "rename": {
-                "field": "message",
-                "target_field": "log.original"
-            }
-        },
-        {
-            "date": {
-                "field": "process.start",
-                "target_field": "process.start",
-                "formats": [
-                    "ISO8601"
-                ],
-                "ignore_failure": true
-            }
-        },
-        {
-            "set": {
-                "field": "@timestamp",
-                "value": "{{ process.start }}",
-                "ignore_failure": true
-            }
-        },
-        {
-            "split": {
-                "field": "process.args",
-                "separator": " ",
-                "ignore_failure": true
-            }
-        },
-        {
-            "date": {
-                "field": "timestamp",
-                "target_field": "@timestamp",
-                "formats": [
-                    "ISO8601"
-                ],
-                "ignore_failure": true
-            }
-        },
-        {
-            "remove": {
-                "field": "timestamp",
-                "ignore_missing": true
-            }
-        }
-    ],
-    "on_failure": [
-        {
-            "set": {
-                "field": "error.message",
-                "value": "{{ _ingest.on_failure_message }}"
-            }
-        }
-    ]
-}
diff --git a/filebeat/module/santa/log/ingest/pipeline.yml b/filebeat/module/santa/log/ingest/pipeline.yml
new file mode 100644
index 000000000000..11ad4cead6ca
--- /dev/null
+++ b/filebeat/module/santa/log/ingest/pipeline.yml
@@ -0,0 +1,91 @@
+description: Pipeline for parsing Google Santa logs.
+processors:
+- grok:
+    field: message
+    patterns:
+    - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|decision=%{NOT_SEPARATOR:santa.decision}\|reason=%{NOT_SEPARATOR:santa.reason}\|sha256=%{NOT_SEPARATOR:process.hash.sha256}\|path=%{NOT_SEPARATOR:process.executable}(\|args=%{NOT_SEPARATOR:santa.args})?(\|cert_sha256=%{NOT_SEPARATOR:santa.certificate.sha256})?(\|cert_cn=%{NOT_SEPARATOR:santa.certificate.common_name})?\|pid=%{NUMBER:process.pid:long}\|ppid=%{NUMBER:process.ppid:long}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}\|mode=%{WORD:santa.mode}'
+    - '\[%{TIMESTAMP_ISO8601:timestamp}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|mount=%{NOT_SEPARATOR:santa.disk.mount}\|volume=%{NOT_SEPARATOR:santa.disk.volume}\|bsdname=%{NOT_SEPARATOR:santa.disk.bsdname}\|fs=%{NOT_SEPARATOR:santa.disk.fs}\|model=%{NOT_SEPARATOR:santa.disk.model}\|serial=%{NOT_SEPARATOR:santa.disk.serial}\|bus=%{NOT_SEPARATOR:santa.disk.bus}\|dmgpath=%{NOT_SEPARATOR:santa.disk.dmgpath}?'
+    pattern_definitions:
+      NOT_SEPARATOR: '[^\|]+'
+- rename:
+    field: message
+    target_field: log.original
+- date:
+    field: process.start
+    target_field: process.start
+    formats:
+    - ISO8601
+    ignore_failure: true
+- set:
+    field: '@timestamp'
+    value: '{{ process.start }}'
+    ignore_failure: true
+- split:
+    field: santa.args
+    separator: ' '
+    ignore_failure: true
+- date:
+    field: timestamp
+    target_field: '@timestamp'
+    formats:
+    - ISO8601
+    ignore_failure: true
+- remove:
+    field: timestamp
+    ignore_missing: true
+- append:
+    field: process.args
+    value: "{{process.executable}}"
+    if: "ctx?.process?.executable != null"
+- foreach:
+    field: santa.args
+    processor:
+      append:
+        field: process.args
+        value: "{{_ingest._value}}"
+    ignore_missing: true
+- remove:
+    field: santa.args
+    ignore_missing: true
+- set:
+    field: event.kind
+    value: event
+- append:
+    field: event.category
+    value: process
+    if: "ctx?.santa?.action == 'EXEC'"
+- append:
+    field: event.type
+    value: start
+    if: "ctx?.santa?.action == 'EXEC'"
+- set:
+    field: event.outcome
+    value: success
+    if: "ctx?.santa?.decision == 'ALLOW'"
+- set:
+    field: event.outcome
+    value: failure
+    if: "ctx?.santa?.decision == 'DENY'"
+- set:
+    field: event.action
+    value: "{{santa.action}}"
+    if: "ctx?.santa?.action != null"
+- lowercase:
+    field: event.action
+    ignore_missing: true
+- append:
+    field: related.user
+    value: "{{user.name}}"
+    if: "ctx?.user?.name != null"
+- append:
+    field: related.hash
+    value: "{{santa.certificate.sha256}}"
+    if: "ctx?.santa?.certificate?.sha256 != null"
+- append:
+    field: related.hash
+    value: "{{process.hash.sha256}}"
+    if: "ctx?.process?.hash != null"
+on_failure:
+- set:
+    field: error.message
+    value: '{{ _ingest.on_failure_message }}'
diff --git a/filebeat/module/santa/log/manifest.yml b/filebeat/module/santa/log/manifest.yml
index d03699304902..43cad6e19343 100644
--- a/filebeat/module/santa/log/manifest.yml
+++ b/filebeat/module/santa/log/manifest.yml
@@ -4,8 +4,9 @@ var:
   - name: paths
     default:
       - /var/log/santa.log
+      - /var/db/santa/santa.log
   - name: input
     default: file
 
-ingest_pipeline: ingest/pipeline.json
+ingest_pipeline: ingest/pipeline.yml
 input: config/{{.input}}.yml
diff --git a/filebeat/module/santa/log/test/santa.log-expected.json b/filebeat/module/santa/log/test/santa.log-expected.json
index ab94261c13a5..6c1fbe811843 100644
--- a/filebeat/module/santa/log/test/santa.log-expected.json
+++ b/filebeat/module/santa/log/test/santa.log-expected.json
@@ -1,25 +1,43 @@
 [
     {
         "@timestamp": "2018-12-10T06:45:16.802Z",
-        "certificate.common_name": "Software Signing",
-        "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+        "event.action": "exec",
+        "event.category": [
+            "process"
+        ],
         "event.dataset": "santa.log",
+        "event.kind": "event",
         "event.module": "santa",
+        "event.outcome": "success",
+        "event.type": [
+            "start"
+        ],
         "fileset.name": "log",
         "group.id": "0",
         "group.name": "wheel",
-        "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4",
         "input.type": "log",
+        "log.level": "I",
         "log.offset": 0,
         "log.original": "[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M",
         "process.args": [
+            "/usr/libexec/xpcproxy",
             "/usr/sbin/newsyslog"
         ],
         "process.executable": "/usr/libexec/xpcproxy",
+        "process.hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4",
         "process.pid": 29678,
         "process.ppid": 1,
         "process.start": "2018-12-10T06:45:16.802Z",
+        "related.hash": [
+            "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+            "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4"
+        ],
+        "related.user": [
+            "root"
+        ],
         "santa.action": "EXEC",
+        "santa.certificate.common_name": "Software Signing",
+        "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
         "santa.decision": "ALLOW",
         "santa.mode": "M",
         "santa.reason": "CERT",
@@ -29,26 +47,44 @@
     },
     {
         "@timestamp": "2018-12-10T06:45:16.802Z",
-        "certificate.common_name": "Software Signing",
-        "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+        "event.action": "exec",
+        "event.category": [
+            "process"
+        ],
         "event.dataset": "santa.log",
+        "event.kind": "event",
         "event.module": "santa",
+        "event.outcome": "success",
+        "event.type": [
+            "start"
+        ],
         "fileset.name": "log",
         "group.id": "0",
         "group.name": "wheel",
-        "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4",
         "input.type": "log",
+        "log.level": "I",
         "log.offset": 360,
         "log.original": "[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.systemstats.daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M",
         "process.args": [
+            "/usr/libexec/xpcproxy",
             "xpcproxy",
             "com.apple.systemstats.daily"
         ],
         "process.executable": "/usr/libexec/xpcproxy",
+        "process.hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4",
         "process.pid": 29679,
         "process.ppid": 1,
         "process.start": "2018-12-10T06:45:16.802Z",
+        "related.hash": [
+            "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+            "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4"
+        ],
+        "related.user": [
+            "root"
+        ],
         "santa.action": "EXEC",
+        "santa.certificate.common_name": "Software Signing",
+        "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
         "santa.decision": "ALLOW",
         "santa.mode": "M",
         "santa.reason": "CERT",
@@ -58,25 +94,43 @@
     },
     {
         "@timestamp": "2018-12-10T06:45:16.851Z",
-        "certificate.common_name": "Software Signing",
-        "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+        "event.action": "exec",
+        "event.category": [
+            "process"
+        ],
         "event.dataset": "santa.log",
+        "event.kind": "event",
         "event.module": "santa",
+        "event.outcome": "success",
+        "event.type": [
+            "start"
+        ],
         "fileset.name": "log",
         "group.id": "0",
         "group.name": "wheel",
-        "hash.sha256": "746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d",
         "input.type": "log",
+        "log.level": "I",
         "log.offset": 737,
         "log.original": "[2018-12-10T06:45:16.851Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d|path=/usr/sbin/newsyslog|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M",
         "process.args": [
+            "/usr/sbin/newsyslog",
             "/usr/sbin/newsyslog"
         ],
         "process.executable": "/usr/sbin/newsyslog",
+        "process.hash.sha256": "746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d",
         "process.pid": 29678,
         "process.ppid": 1,
         "process.start": "2018-12-10T06:45:16.851Z",
+        "related.hash": [
+            "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+            "746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d"
+        ],
+        "related.user": [
+            "root"
+        ],
         "santa.action": "EXEC",
+        "santa.certificate.common_name": "Software Signing",
+        "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
         "santa.decision": "ALLOW",
         "santa.mode": "M",
         "santa.reason": "CERT",
@@ -86,26 +140,44 @@
     },
     {
         "@timestamp": "2018-12-10T06:45:16.859Z",
-        "certificate.common_name": "Software Signing",
-        "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+        "event.action": "exec",
+        "event.category": [
+            "process"
+        ],
         "event.dataset": "santa.log",
+        "event.kind": "event",
         "event.module": "santa",
+        "event.outcome": "success",
+        "event.type": [
+            "start"
+        ],
         "fileset.name": "log",
         "group.id": "0",
         "group.name": "wheel",
-        "hash.sha256": "d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f",
         "input.type": "log",
+        "log.level": "I",
         "log.offset": 1095,
         "log.original": "[2018-12-10T06:45:16.859Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f|path=/usr/sbin/systemstats|args=/usr/sbin/systemstats --daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M",
         "process.args": [
+            "/usr/sbin/systemstats",
             "/usr/sbin/systemstats",
             "--daily"
         ],
         "process.executable": "/usr/sbin/systemstats",
+        "process.hash.sha256": "d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f",
         "process.pid": 29679,
         "process.ppid": 1,
         "process.start": "2018-12-10T06:45:16.859Z",
+        "related.hash": [
+            "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+            "d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f"
+        ],
+        "related.user": [
+            "root"
+        ],
         "santa.action": "EXEC",
+        "santa.certificate.common_name": "Software Signing",
+        "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
         "santa.decision": "ALLOW",
         "santa.mode": "M",
         "santa.reason": "CERT",
@@ -115,25 +187,43 @@
     },
     {
         "@timestamp": "2018-12-10T08:45:27.810Z",
-        "certificate.common_name": "Software Signing",
-        "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+        "event.action": "exec",
+        "event.category": [
+            "process"
+        ],
         "event.dataset": "santa.log",
+        "event.kind": "event",
         "event.module": "santa",
+        "event.outcome": "success",
+        "event.type": [
+            "start"
+        ],
         "fileset.name": "log",
         "group.id": "0",
         "group.name": "wheel",
-        "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4",
         "input.type": "log",
+        "log.level": "I",
         "log.offset": 1465,
         "log.original": "[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29681|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M",
         "process.args": [
+            "/usr/libexec/xpcproxy",
             "/usr/sbin/newsyslog"
         ],
         "process.executable": "/usr/libexec/xpcproxy",
+        "process.hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4",
         "process.pid": 29681,
         "process.ppid": 1,
         "process.start": "2018-12-10T08:45:27.810Z",
+        "related.hash": [
+            "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+            "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4"
+        ],
+        "related.user": [
+            "root"
+        ],
         "santa.action": "EXEC",
+        "santa.certificate.common_name": "Software Signing",
+        "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
         "santa.decision": "ALLOW",
         "santa.mode": "M",
         "santa.reason": "CERT",
@@ -143,26 +233,44 @@
     },
     {
         "@timestamp": "2018-12-10T08:45:27.810Z",
-        "certificate.common_name": "Software Signing",
-        "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+        "event.action": "exec",
+        "event.category": [
+            "process"
+        ],
         "event.dataset": "santa.log",
+        "event.kind": "event",
         "event.module": "santa",
+        "event.outcome": "success",
+        "event.type": [
+            "start"
+        ],
         "fileset.name": "log",
         "group.id": "0",
         "group.name": "wheel",
-        "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4",
         "input.type": "log",
+        "log.level": "I",
         "log.offset": 1825,
         "log.original": "[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.adobe.AAM.Scheduler-1.0|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29680|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M",
         "process.args": [
+            "/usr/libexec/xpcproxy",
             "xpcproxy",
             "com.adobe.AAM.Scheduler-1.0"
         ],
         "process.executable": "/usr/libexec/xpcproxy",
+        "process.hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4",
         "process.pid": 29680,
         "process.ppid": 1,
         "process.start": "2018-12-10T08:45:27.810Z",
+        "related.hash": [
+            "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+            "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4"
+        ],
+        "related.user": [
+            "root"
+        ],
         "santa.action": "EXEC",
+        "santa.certificate.common_name": "Software Signing",
+        "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
         "santa.decision": "ALLOW",
         "santa.mode": "M",
         "santa.reason": "CERT",
@@ -172,24 +280,41 @@
     },
     {
         "@timestamp": "2018-12-10T21:37:27.247Z",
+        "event.action": "exec",
+        "event.category": [
+            "process"
+        ],
         "event.dataset": "santa.log",
+        "event.kind": "event",
         "event.module": "santa",
+        "event.outcome": "success",
+        "event.type": [
+            "start"
+        ],
         "fileset.name": "log",
         "group.id": "0",
         "group.name": "wheel",
-        "hash.sha256": "08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1",
         "input.type": "log",
+        "log.level": "I",
         "log.offset": 2202,
         "log.original": "[2018-12-10T21:37:27.247Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1|path=/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd|args=/usr/local/bin/osqueryd --flagfile=/private/var/osquery/osquery.flags --logger_min_stderr=1|pid=45084|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M",
         "process.args": [
+            "/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd",
             "/usr/local/bin/osqueryd",
             "--flagfile=/private/var/osquery/osquery.flags",
             "--logger_min_stderr=1"
         ],
         "process.executable": "/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd",
+        "process.hash.sha256": "08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1",
         "process.pid": 45084,
         "process.ppid": 1,
         "process.start": "2018-12-10T21:37:27.247Z",
+        "related.hash": [
+            "08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1"
+        ],
+        "related.user": [
+            "root"
+        ],
         "santa.action": "EXEC",
         "santa.decision": "ALLOW",
         "santa.mode": "M",
@@ -200,22 +325,42 @@
     },
     {
         "@timestamp": "2018-12-10T16:24:43.992Z",
-        "certificate.common_name": "Software Signing",
-        "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+        "event.action": "exec",
+        "event.category": [
+            "process"
+        ],
         "event.dataset": "santa.log",
+        "event.kind": "event",
         "event.module": "santa",
+        "event.outcome": "success",
+        "event.type": [
+            "start"
+        ],
         "fileset.name": "log",
         "group.id": "20",
         "group.name": "staff",
-        "hash.sha256": "63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106",
         "input.type": "log",
+        "log.level": "I",
         "log.offset": 2560,
         "log.original": "[2018-12-10T16:24:43.992Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106|path=/usr/bin/basename|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=40757|ppid=40756|uid=501|user=akroh|gid=20|group=staff|mode=M",
+        "process.args": [
+            "/usr/bin/basename"
+        ],
         "process.executable": "/usr/bin/basename",
+        "process.hash.sha256": "63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106",
         "process.pid": 40757,
         "process.ppid": 40756,
         "process.start": "2018-12-10T16:24:43.992Z",
+        "related.hash": [
+            "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
+            "63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106"
+        ],
+        "related.user": [
+            "akroh"
+        ],
         "santa.action": "EXEC",
+        "santa.certificate.common_name": "Software Signing",
+        "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",
         "santa.decision": "ALLOW",
         "santa.mode": "M",
         "santa.reason": "CERT",
@@ -225,18 +370,26 @@
     },
     {
         "@timestamp": "2018-12-14T05:35:38.313Z",
-        "certificate.common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)",
-        "certificate.sha256": "345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5",
+        "event.action": "exec",
+        "event.category": [
+            "process"
+        ],
         "event.dataset": "santa.log",
+        "event.kind": "event",
         "event.module": "santa",
+        "event.outcome": "success",
+        "event.type": [
+            "start"
+        ],
         "fileset.name": "log",
         "group.id": "20",
         "group.name": "staff",
-        "hash.sha256": "a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7",
         "input.type": "log",
+        "log.level": "I",
         "log.offset": 2899,
         "log.original": "[2018-12-14T05:35:38.313Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7|path=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper|args=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --field-trial-handle=120122713615061869,9401617251746517350,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10458143409865682077 --seatbelt-client=262|cert_sha256=345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5|cert_cn=Developer ID Application: Google, Inc. (EQHXZ8M8AV)|pid=89238|ppid=704|uid=501|user=akroh|gid=20|group=staff|mode=M",
         "process.args": [
+            "/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper",
             "/Applications/Google",
             "Chrome.app/Contents/Versions/70.0.3538.110/Google",
             "Chrome",
@@ -251,10 +404,20 @@
             "--seatbelt-client=262"
         ],
         "process.executable": "/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper",
+        "process.hash.sha256": "a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7",
         "process.pid": 89238,
         "process.ppid": 704,
         "process.start": "2018-12-14T05:35:38.313Z",
+        "related.hash": [
+            "345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5",
+            "a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7"
+        ],
+        "related.user": [
+            "akroh"
+        ],
         "santa.action": "EXEC",
+        "santa.certificate.common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)",
+        "santa.certificate.sha256": "345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5",
         "santa.decision": "ALLOW",
         "santa.mode": "M",
         "santa.reason": "UNKNOWN",
@@ -264,10 +427,13 @@
     },
     {
         "@timestamp": "2018-12-17T03:03:52.337Z",
+        "event.action": "diskappear",
         "event.dataset": "santa.log",
+        "event.kind": "event",
         "event.module": "santa",
         "fileset.name": "log",
         "input.type": "log",
+        "log.level": "I",
         "log.offset": 3712,
         "log.original": "[2018-12-17T03:03:52.337Z] I santad: action=DISKAPPEAR|mount=/Volumes/Recovery|volume=Recovery|bsdname=disk1s3|fs=apfs|model=APPLE SSD SM0512L|serial=C026495006UHCHH1Q|bus=PCI-Express|dmgpath=",
         "santa.action": "DISKAPPEAR",