elastic · bit-envoy · Nov 8, 2022 · Nov 4, 2022 · Nov 4, 2022 · Nov 4, 2022
diff --git a/custom_schemas/custom_process.yml b/custom_schemas/custom_process.yml
@@ -62,7 +62,7 @@
       description: Parent process' pid.
       example: 4241
       default_field: false
-
+      
     - name: Ext
       level: custom
       type: object
@@ -95,6 +95,11 @@
       level: custom
       type: object
       description: Object for all custom defined fields to live in.
+
+    - name: thread.Ext.call_stack_contains_unbacked
+      level: custom
+      type: boolean
+      description: Indicates whether the creating thread's stack contains frames pointing outside any known executable image.
 
     - name: thread.Ext.call_stack_summary
       level: custom

diff --git a/custom_subsets/elastic_endpoint/process/process.yaml b/custom_subsets/elastic_endpoint/process/process.yaml
@@ -235,6 +235,9 @@ fields:
             fields:
               id: {}
               name: {}
+              Ext:
+                fields:
+                  call_stack_contains_unbacked: {}
           title: {}
           uptime: {}
           working_directory: {}

diff --git a/package/endpoint/data_stream/process/fields/fields.yml b/package/endpoint/data_stream/process/fields/fields.yml
@@ -2167,6 +2167,16 @@
       ignore_above: 1024
       description: Name of the group.
       default_field: false
+    - name: parent.thread.Ext
+      level: custom
+      type: object
+      description: Object for all custom defined fields to live in.
+      default_field: false
+    - name: parent.thread.Ext.call_stack_contains_unbacked
+      level: custom
+      type: boolean
+      description: Indicates whether the creating thread's stack contains frames pointing outside any known executable image.
+      default_field: false
     - name: parent.thread.id
       level: extended
       type: long

diff --git a/package/endpoint/data_stream/process/sample_event.json b/package/endpoint/data_stream/process/sample_event.json
@@ -99,7 +99,12 @@
             "args_count": 0,
             "entity_id": "NGM5YzljYjMtZjgwZi00NGQ4LTljODktNjE2ODI0M2I3ZjIxLTYwMC0xMzI5MzU0OTExMC40NjgyMjI3MDA=",
             "command_line": "",
-            "executable": "C:\\Windows\\System32\\services.exe"
+            "executable": "C:\\Windows\\System32\\services.exe",
+            "thread": {
+                "Ext": {
+                    "call_stack_contains_unbacked": true
+                }
+            }
         },
         "pid": 2772,
         "working_directory": "C:\\Windows\\system32\\",

diff --git a/package/endpoint/docs/README.md b/package/endpoint/docs/README.md
@@ -2257,6 +2257,8 @@ sent by the endpoint.
 | process.parent.start | The time the process started. | date |
 | process.parent.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword |
 | process.parent.supplemental_groups.name | Name of the group. | keyword |
+| process.parent.thread.Ext | Object for all custom defined fields to live in. | object |
+| process.parent.thread.Ext.call_stack_contains_unbacked | Indicates whether the creating thread's stack contains frames pointing outside any known executable image. | boolean |
 | process.parent.thread.id | Thread ID. | long |
 | process.parent.thread.name | Thread name. | keyword |
 | process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |

diff --git a/schemas/v1/process/process.yaml b/schemas/v1/process/process.yaml