There are few addition improvements we can make the Winlogbeat Sysmon module to better align we ECS.

• Set related.hash.
• Set file.extension/name/directory. Use the JS path module .
• hash.* is not part of ECS. It should be used as file.hash.* or process.hash.*. We can't delete the existing hash.* fields until 8.0, so for 7.x we can populate them both. And then do a breaking change for 8.0 where we drop hash.* completely.
• Drop the rule.name field when it has a tack - value