From b412bfebe7a151c6cea3028d9aac14f3330e6767 Mon Sep 17 00:00:00 2001
From: John U <53329154+jdu2600@users.noreply.github.com>
Date: Wed, 4 Oct 2023 01:48:01 +0800
Subject: [PATCH] additional process callstack fields (#435)

* add missing process.parent.thread.Ext.call_stack fields

* add generated file
---
 .../doc/endpoint/process/windows/windows_process_create.md     | 3 +++
 .../data_stream/process/windows/windows_process_create.yaml    | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/custom_documentation/doc/endpoint/process/windows/windows_process_create.md b/custom_documentation/doc/endpoint/process/windows/windows_process_create.md
index c15362d36..bd2bf4a04 100644
--- a/custom_documentation/doc/endpoint/process/windows/windows_process_create.md
+++ b/custom_documentation/doc/endpoint/process/windows/windows_process_create.md
@@ -107,6 +107,9 @@ This event is generated when a process is created.
 | process.parent.name |
 | process.parent.pid |
 | process.parent.thread.Ext.call_stack.symbol_info |
+| process.parent.thread.Ext.call_stack.protection |
+| process.parent.thread.Ext.call_stack.callsite_leading_bytes |
+| process.parent.thread.Ext.call_stack.callsite_trailing_bytes |
 | process.parent.thread.Ext.call_stack_contains_unbacked |
 | process.parent.thread.Ext.call_stack_summary |
 | process.pe.imphash |
diff --git a/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_create.yaml b/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_create.yaml
index ef07bb013..d146e2acf 100644
--- a/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_create.yaml
+++ b/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_create.yaml
@@ -112,6 +112,9 @@ fields:
   - process.parent.name
   - process.parent.pid
   - process.parent.thread.Ext.call_stack.symbol_info
+  - process.parent.thread.Ext.call_stack.protection
+  - process.parent.thread.Ext.call_stack.callsite_leading_bytes
+  - process.parent.thread.Ext.call_stack.callsite_trailing_bytes
   - process.parent.thread.Ext.call_stack_contains_unbacked
   - process.parent.thread.Ext.call_stack_summary
   - process.pe.imphash