diff --git a/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml
index 3e1a5f518c2f..a02d45b20700 100644
--- a/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml
@@ -177,6 +177,10 @@ processors:
     field: sophos.xg.device_id
     target_field: observer.serial_number
     ignore_missing: true
+- rename:
+    field: sophos.xg.device_serial_id
+    target_field: observer.serial_number
+    ignore_missing: true
 - rename:
     field: sophos.xg.out_interface
     target_field: observer.egress.interface.name
@@ -189,10 +193,18 @@ processors:
     field: sophos.xg.srczonetype
     target_field: observer.ingress.zone
     ignore_missing: true
+- rename:
+    field: sophos.xg.src_zone_type
+    target_field: observer.ingress.zone
+    ignore_missing: true
 - rename:
     field: sophos.xg.dstzonetype
     target_field: observer.egress.zone
     ignore_missing: true
+- rename:
+    field: sophos.xg.dst_zone_type
+    target_field: observer.egress.zone
+    ignore_missing: true
 
 # extract from log_id the new field "sophos.xg.message_id"
 - set: