From a04f77624e085804eacb1c916f4002e9e0c0dc45 Mon Sep 17 00:00:00 2001
From: Asuka Nakajima <asuka.nakajima@elastic.co>
Date: Mon, 23 Jun 2025 01:09:28 -0400
Subject: [PATCH 1/2] update custom documentation

---
 .../security/windows/windows_security_log_off.yaml          | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/custom_documentation/src/endpoint/data_stream/security/windows/windows_security_log_off.yaml b/custom_documentation/src/endpoint/data_stream/security/windows/windows_security_log_off.yaml
index 54a52c83..0f1a8c26 100644
--- a/custom_documentation/src/endpoint/data_stream/security/windows/windows_security_log_off.yaml
+++ b/custom_documentation/src/endpoint/data_stream/security/windows/windows_security_log_off.yaml
@@ -55,13 +55,19 @@ fields:
   - process.Ext.code_signature.status
   - process.Ext.code_signature.subject_name
   - process.Ext.code_signature.trusted
+  - process.Ext.protection
   - process.Ext.session_info.logon_type
+  - process.Ext.token.integrity_level_name
   - process.code_signature.exists
   - process.code_signature.status
   - process.code_signature.subject_name
   - process.code_signature.trusted
+  - process.command_line
   - process.entity_id
   - process.executable
+  - process.name
+  - process.parent.executable
+  - process.pid
   - user.domain
   - user.effective.domain
   - user.effective.email

From f88f058a006e04dd753c6cf71988f290aefd9012 Mon Sep 17 00:00:00 2001
From: Asuka Nakajima <asuka.nakajima@elastic.co>
Date: Mon, 23 Jun 2025 05:14:03 +0000
Subject: [PATCH 2/2] add generated file

---
 .../endpoint/security/windows/windows_security_log_off.md   | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/custom_documentation/doc/endpoint/security/windows/windows_security_log_off.md b/custom_documentation/doc/endpoint/security/windows/windows_security_log_off.md
index f477167c..3641b542 100644
--- a/custom_documentation/doc/endpoint/security/windows/windows_security_log_off.md
+++ b/custom_documentation/doc/endpoint/security/windows/windows_security_log_off.md
@@ -51,13 +51,19 @@ This event is generated when a user logs off of the computer.
 | process.Ext.code_signature.status |
 | process.Ext.code_signature.subject_name |
 | process.Ext.code_signature.trusted |
+| process.Ext.protection |
 | process.Ext.session_info.logon_type |
+| process.Ext.token.integrity_level_name |
 | process.code_signature.exists |
 | process.code_signature.status |
 | process.code_signature.subject_name |
 | process.code_signature.trusted |
+| process.command_line |
 | process.entity_id |
 | process.executable |
+| process.name |
+| process.parent.executable |
+| process.pid |
 | user.domain |
 | user.effective.domain |
 | user.effective.email |