diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
index 7656e98f722..9afcd28349d 100644
--- a/packages/windows/changelog.yml
+++ b/packages/windows/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.8.2"
+  changes:
+    - description: Map Sysmon event 26 file delete hashes to `file.hash` instead of `process.hash`.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/18501
 - version: "3.8.1"
   changes:
     - description: Safely handle malformed UAC values in Windows Security event 4738 to prevent ingest pipeline failures.
diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json
index 411062fa599..cb562ab5b5a 100644
--- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json
+++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json
@@ -21603,6 +21603,9 @@
             "file": {
                 "directory": "C:\\Windows\\ServiceState\\EventLog\\Data",
                 "extension": "dat",
+                "hash": {
+                    "sha256": "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79"
+                },
                 "name": "lastalive1.dat",
                 "path": "C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat"
             },
@@ -21612,9 +21615,6 @@
             "process": {
                 "entity_id": "{63a74932-a2b4-61ee-1b00-000000000700}",
                 "executable": "C:\\Windows\\System32\\svchost.exe",
-                "hash": {
-                    "sha256": "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79"
-                },
                 "name": "svchost.exe",
                 "pid": 1264
             },
@@ -21678,6 +21678,9 @@
             "file": {
                 "directory": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache",
                 "extension": "000",
+                "hash": {
+                    "sha256": "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b"
+                },
                 "name": "OLDCACHE.000",
                 "path": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000"
             },
@@ -21687,9 +21690,6 @@
             "process": {
                 "entity_id": "{63a74932-3523-61ee-af00-000000000700}",
                 "executable": "C:\\Windows\\system32\\svchost.exe",
-                "hash": {
-                    "sha256": "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b"
-                },
                 "name": "svchost.exe",
                 "pid": 1364
             },
diff --git a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml
index ce3ad0d1ca0..93be940e826 100644
--- a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml
@@ -334,7 +334,7 @@ processors:
       target_field: process.hash
       if: |-
         ctx._temp?.hashes != null &&
-        ["1", "23", "24", "25", "26"].contains(ctx.event.code)
+        ["1", "23", "24", "25"].contains(ctx.event.code)
   - rename:
       field: process.hash.imphash
       target_field: process.pe.imphash
diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml
index 1254167f504..9ad424da734 100644
--- a/packages/windows/manifest.yml
+++ b/packages/windows/manifest.yml
@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 3.8.1
+version: 3.8.2
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: