Added call_stack_contains_unbacked field (#308)

bit-envoy · gabriellandau · web-flow · commit 87e047f8d0e4 · 2022-11-08T19:35:43.000+01:00
* added call_stack_contains_unbacked field

* fixes

* fixes

* fixes

* fixes

* fixes

* added sample

* fixes

* fixes

* fixes

* fixes

* fixes

* fixes

* fixes

* Update custom_schemas/custom_process.yml

Co-authored-by: Gabriel Landau &lt;42078554+gabriellandau@users.noreply.github.com&gt;

* fixes

Co-authored-by: Gabriel Landau &lt;42078554+gabriellandau@users.noreply.github.com&gt;
diff --git a/custom_schemas/custom_process.yml b/custom_schemas/custom_process.yml
@@ -62,7 +62,7 @@
       description: Parent process' pid.
       example: 4241
       default_field: false
-
+      
     - name: Ext
       level: custom
       type: object
@@ -95,6 +95,11 @@
       level: custom
       type: object
       description: Object for all custom defined fields to live in.
+      
+    - name: thread.Ext.call_stack_contains_unbacked
+      level: custom
+      type: boolean
+      description: Indicates whether the creating thread's stack contains frames pointing outside any known executable image.
 
     - name: thread.Ext.call_stack_summary
       level: custom
diff --git a/custom_subsets/elastic_endpoint/process/process.yaml b/custom_subsets/elastic_endpoint/process/process.yaml
@@ -235,6 +235,9 @@ fields:
             fields:
               id: {}
               name: {}
+              Ext:
+                fields:
+                  call_stack_contains_unbacked: {}
           title: {}
           uptime: {}
           working_directory: {}
diff --git a/package/endpoint/data_stream/process/fields/fields.yml b/package/endpoint/data_stream/process/fields/fields.yml
@@ -2167,6 +2167,16 @@
       ignore_above: 1024
       description: Name of the group.
       default_field: false
+    - name: parent.thread.Ext
+      level: custom
+      type: object
+      description: Object for all custom defined fields to live in.
+      default_field: false
+    - name: parent.thread.Ext.call_stack_contains_unbacked
+      level: custom
+      type: boolean
+      description: Indicates whether the creating thread's stack contains frames pointing outside any known executable image.
+      default_field: false
     - name: parent.thread.id
       level: extended
       type: long
diff --git a/package/endpoint/data_stream/process/sample_event.json b/package/endpoint/data_stream/process/sample_event.json
@@ -99,7 +99,12 @@
             "args_count": 0,
             "entity_id": "NGM5YzljYjMtZjgwZi00NGQ4LTljODktNjE2ODI0M2I3ZjIxLTYwMC0xMzI5MzU0OTExMC40NjgyMjI3MDA=",
             "command_line": "",
-            "executable": "C:\\Windows\\System32\\services.exe"
+            "executable": "C:\\Windows\\System32\\services.exe",
+            "thread": {
+                "Ext": {
+                    "call_stack_contains_unbacked": true
+                }
+            }
         },
         "pid": 2772,
         "working_directory": "C:\\Windows\\system32\\",
diff --git a/package/endpoint/docs/README.md b/package/endpoint/docs/README.md
@@ -2257,6 +2257,8 @@ sent by the endpoint.
 | process.parent.start | The time the process started. | date |
 | process.parent.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword |
 | process.parent.supplemental_groups.name | Name of the group. | keyword |
+| process.parent.thread.Ext | Object for all custom defined fields to live in. | object |
+| process.parent.thread.Ext.call_stack_contains_unbacked | Indicates whether the creating thread's stack contains frames pointing outside any known executable image. | boolean |
 | process.parent.thread.id | Thread ID. | long |
 | process.parent.thread.name | Thread name. | keyword |
 | process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
diff --git a/schemas/v1/process/process.yaml b/schemas/v1/process/process.yaml
