I found a solution:
I added the following to the winlogbeat.yml processors section for the ForwardedEvents log.
- copy_fields:
when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
fields:
- from: winlog.user.name
to: user.name
fail_on_error: false
ignore_missing: true