diff --git a/custom_documentation/doc/endpoint/alerts/macos/macos_malicious_behavior_alert.md b/custom_documentation/doc/endpoint/alerts/macos/macos_malicious_behavior_alert.md
index 3c24bdd58..b77e715d9 100644
--- a/custom_documentation/doc/endpoint/alerts/macos/macos_malicious_behavior_alert.md
+++ b/custom_documentation/doc/endpoint/alerts/macos/macos_malicious_behavior_alert.md
@@ -10,6 +10,10 @@ This alert is generated when a Malicious Behavior alert occurs.
 | Field |
 |---|
 | @timestamp |
+| Effective_process.entity_id |
+| Effective_process.executable |
+| Effective_process.name |
+| Effective_process.pid |
 | Endpoint.policy.applied.artifacts.global.identifiers.name |
 | Endpoint.policy.applied.artifacts.global.identifiers.sha256 |
 | Endpoint.policy.applied.artifacts.global.version |
diff --git a/custom_documentation/doc/endpoint/file/macos/macos_file_delete.md b/custom_documentation/doc/endpoint/file/macos/macos_file_delete.md
index d26eba28a..a1c3122e8 100644
--- a/custom_documentation/doc/endpoint/file/macos/macos_file_delete.md
+++ b/custom_documentation/doc/endpoint/file/macos/macos_file_delete.md
@@ -10,6 +10,10 @@ This event is generated when a file is deleted.
 | Field |
 |---|
 | @timestamp |
+| Effective_process.entity_id |
+| Effective_process.executable |
+| Effective_process.name |
+| Effective_process.pid |
 | agent.id |
 | agent.type |
 | agent.version |
@@ -68,8 +72,4 @@ This event is generated when a file is deleted.
 | user.Ext.real.name |
 | user.id |
 | user.name |
-| Effective_process.entity_id |
-| Effective_process.executable |
-| Effective_process.name |
-| Effective_process.pid |
 
diff --git a/custom_documentation/doc/endpoint/file/macos/macos_file_extended_attributes_delete.md b/custom_documentation/doc/endpoint/file/macos/macos_file_extended_attributes_delete.md
index 96594e326..f11ae07e5 100644
--- a/custom_documentation/doc/endpoint/file/macos/macos_file_extended_attributes_delete.md
+++ b/custom_documentation/doc/endpoint/file/macos/macos_file_extended_attributes_delete.md
@@ -10,6 +10,10 @@ This event is generated when extended file attributes are deleted.
 | Field |
 |---|
 | @timestamp |
+| Effective_process.entity_id |
+| Effective_process.executable |
+| Effective_process.name |
+| Effective_process.pid |
 | agent.id |
 | agent.type |
 | agent.version |
@@ -68,8 +72,4 @@ This event is generated when extended file attributes are deleted.
 | user.Ext.real.name |
 | user.id |
 | user.name |
-| Effective_process.entity_id |
-| Effective_process.executable |
-| Effective_process.name |
-| Effective_process.pid |
 
diff --git a/custom_documentation/doc/endpoint/file/macos/macos_file_launch_daemon.md b/custom_documentation/doc/endpoint/file/macos/macos_file_launch_daemon.md
index cab47109b..3fa972670 100644
--- a/custom_documentation/doc/endpoint/file/macos/macos_file_launch_daemon.md
+++ b/custom_documentation/doc/endpoint/file/macos/macos_file_launch_daemon.md
@@ -10,6 +10,10 @@ This event includes information about a macOS Launch Daemon.
 | Field |
 |---|
 | @timestamp |
+| Effective_process.entity_id |
+| Effective_process.executable |
+| Effective_process.name |
+| Effective_process.pid |
 | Persistence.args |
 | Persistence.keepalive |
 | Persistence.name |
@@ -67,8 +71,4 @@ This event includes information about a macOS Launch Daemon.
 | user.Ext.real.name |
 | user.id |
 | user.name |
-| Effective_process.entity_id |
-| Effective_process.executable |
-| Effective_process.name |
-| Effective_process.pid |
 
diff --git a/custom_documentation/doc/endpoint/file/macos/macos_file_modification.md b/custom_documentation/doc/endpoint/file/macos/macos_file_modification.md
index 341f3f60e..467547068 100644
--- a/custom_documentation/doc/endpoint/file/macos/macos_file_modification.md
+++ b/custom_documentation/doc/endpoint/file/macos/macos_file_modification.md
@@ -10,6 +10,10 @@ This event is generated when a file is modified.
 | Field |
 |---|
 | @timestamp |
+| Effective_process.entity_id |
+| Effective_process.executable |
+| Effective_process.name |
+| Effective_process.pid |
 | agent.id |
 | agent.type |
 | agent.version |
@@ -69,8 +73,4 @@ This event is generated when a file is modified.
 | user.Ext.real.name |
 | user.id |
 | user.name |
-| Effective_process.entity_id |
-| Effective_process.executable |
-| Effective_process.name |
-| Effective_process.pid |
 
diff --git a/custom_documentation/doc/endpoint/file/macos/macos_file_mount.md b/custom_documentation/doc/endpoint/file/macos/macos_file_mount.md
index 10e0207c5..7e81acc3a 100644
--- a/custom_documentation/doc/endpoint/file/macos/macos_file_mount.md
+++ b/custom_documentation/doc/endpoint/file/macos/macos_file_mount.md
@@ -10,6 +10,10 @@ This event is generated when a file system is mounted.
 | Field |
 |---|
 | @timestamp |
+| Effective_process.entity_id |
+| Effective_process.executable |
+| Effective_process.name |
+| Effective_process.pid |
 | agent.id |
 | agent.type |
 | agent.version |
@@ -66,8 +70,4 @@ This event is generated when a file system is mounted.
 | user.Ext.real.name |
 | user.id |
 | user.name |
-| Effective_process.entity_id |
-| Effective_process.executable |
-| Effective_process.name |
-| Effective_process.pid |
 
diff --git a/custom_documentation/doc/endpoint/file/macos/macos_file_rename.md b/custom_documentation/doc/endpoint/file/macos/macos_file_rename.md
index 92ba63b4a..d5e503ed3 100644
--- a/custom_documentation/doc/endpoint/file/macos/macos_file_rename.md
+++ b/custom_documentation/doc/endpoint/file/macos/macos_file_rename.md
@@ -10,6 +10,10 @@ This event is generated when a file is renamed.
 | Field |
 |---|
 | @timestamp |
+| Effective_process.entity_id |
+| Effective_process.executable |
+| Effective_process.name |
+| Effective_process.pid |
 | agent.id |
 | agent.type |
 | agent.version |
@@ -69,8 +73,4 @@ This event is generated when a file is renamed.
 | user.Ext.real.name |
 | user.id |
 | user.name |
-| Effective_process.entity_id |
-| Effective_process.executable |
-| Effective_process.name |
-| Effective_process.pid |
 
diff --git a/custom_documentation/doc/endpoint/process/linux/linux_process_fork.md b/custom_documentation/doc/endpoint/process/linux/linux_process_fork.md
index 01191a4d4..c04a8c9db 100644
--- a/custom_documentation/doc/endpoint/process/linux/linux_process_fork.md
+++ b/custom_documentation/doc/endpoint/process/linux/linux_process_fork.md
@@ -70,6 +70,7 @@ This event is generated when a new process is created using `fork()`.
 | process.args |
 | process.args_count |
 | process.command_line |
+| process.end |
 | process.entity_id |
 | process.entry_leader.args |
 | process.entry_leader.args_count |
@@ -100,6 +101,7 @@ This event is generated when a new process is created using `fork()`.
 | process.entry_leader.working_directory |
 | process.env_vars |
 | process.executable |
+| process.exit_code |
 | process.group.id |
 | process.group.name |
 | process.group_leader.args |
diff --git a/custom_documentation/src/endpoint/data_stream/alerts/macos/macos_malicious_behavior_alert.yaml b/custom_documentation/src/endpoint/data_stream/alerts/macos/macos_malicious_behavior_alert.yaml
index 672fcbaca..c75966f1c 100644
--- a/custom_documentation/src/endpoint/data_stream/alerts/macos/macos_malicious_behavior_alert.yaml
+++ b/custom_documentation/src/endpoint/data_stream/alerts/macos/macos_malicious_behavior_alert.yaml
@@ -15,6 +15,10 @@ identification:
 fields:
   endpoint:
   - '@timestamp'
+  - Effective_process.entity_id
+  - Effective_process.executable
+  - Effective_process.name
+  - Effective_process.pid
   - Endpoint.policy.applied.artifacts.global.identifiers.name
   - Endpoint.policy.applied.artifacts.global.identifiers.sha256
   - Endpoint.policy.applied.artifacts.global.version
diff --git a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_delete.yaml b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_delete.yaml
index 7402a086b..b8514fcb8 100644
--- a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_delete.yaml
+++ b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_delete.yaml
@@ -15,6 +15,10 @@ identification:
 fields:
   endpoint:
   - '@timestamp'
+  - Effective_process.entity_id
+  - Effective_process.executable
+  - Effective_process.name
+  - Effective_process.pid
   - agent.id
   - agent.type
   - agent.version
@@ -73,7 +77,3 @@ fields:
   - user.Ext.real.name
   - user.id
   - user.name
-  - Effective_process.entity_id
-  - Effective_process.executable
-  - Effective_process.name
-  - Effective_process.pid
diff --git a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_extended_attributes_delete.yaml b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_extended_attributes_delete.yaml
index 037155485..be2de56ac 100644
--- a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_extended_attributes_delete.yaml
+++ b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_extended_attributes_delete.yaml
@@ -15,6 +15,10 @@ identification:
 fields:
   endpoint:
   - '@timestamp'
+  - Effective_process.entity_id
+  - Effective_process.executable
+  - Effective_process.name
+  - Effective_process.pid
   - agent.id
   - agent.type
   - agent.version
@@ -73,7 +77,3 @@ fields:
   - user.Ext.real.name
   - user.id
   - user.name
-  - Effective_process.entity_id
-  - Effective_process.executable
-  - Effective_process.name
-  - Effective_process.pid
diff --git a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_launch_daemon.yaml b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_launch_daemon.yaml
index b059885eb..9e2b8a8db 100644
--- a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_launch_daemon.yaml
+++ b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_launch_daemon.yaml
@@ -15,6 +15,10 @@ identification:
 fields:
   endpoint:
   - '@timestamp'
+  - Effective_process.entity_id
+  - Effective_process.executable
+  - Effective_process.name
+  - Effective_process.pid
   - Persistence.args
   - Persistence.keepalive
   - Persistence.name
@@ -72,7 +76,3 @@ fields:
   - user.Ext.real.name
   - user.id
   - user.name
-  - Effective_process.entity_id
-  - Effective_process.executable
-  - Effective_process.name
-  - Effective_process.pid
diff --git a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_modification.yaml b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_modification.yaml
index e29cd0ec4..a652c2f87 100644
--- a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_modification.yaml
+++ b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_modification.yaml
@@ -15,6 +15,10 @@ identification:
 fields:
   endpoint:
   - '@timestamp'
+  - Effective_process.entity_id
+  - Effective_process.executable
+  - Effective_process.name
+  - Effective_process.pid
   - agent.id
   - agent.type
   - agent.version
@@ -74,7 +78,3 @@ fields:
   - user.Ext.real.name
   - user.id
   - user.name
-  - Effective_process.entity_id
-  - Effective_process.executable
-  - Effective_process.name
-  - Effective_process.pid
diff --git a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_mount.yaml b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_mount.yaml
index 7569f226c..b066f39c3 100644
--- a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_mount.yaml
+++ b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_mount.yaml
@@ -15,6 +15,10 @@ identification:
 fields:
   endpoint:
   - '@timestamp'
+  - Effective_process.entity_id
+  - Effective_process.executable
+  - Effective_process.name
+  - Effective_process.pid
   - agent.id
   - agent.type
   - agent.version
@@ -71,7 +75,3 @@ fields:
   - user.Ext.real.name
   - user.id
   - user.name
-  - Effective_process.entity_id
-  - Effective_process.executable
-  - Effective_process.name
-  - Effective_process.pid
diff --git a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_rename.yaml b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_rename.yaml
index 2acd3b648..1065f7d37 100644
--- a/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_rename.yaml
+++ b/custom_documentation/src/endpoint/data_stream/file/macos/macos_file_rename.yaml
@@ -15,6 +15,10 @@ identification:
 fields:
   endpoint:
   - '@timestamp'
+  - Effective_process.entity_id
+  - Effective_process.executable
+  - Effective_process.name
+  - Effective_process.pid
   - agent.id
   - agent.type
   - agent.version
@@ -74,7 +78,3 @@ fields:
   - user.Ext.real.name
   - user.id
   - user.name
-  - Effective_process.entity_id
-  - Effective_process.executable
-  - Effective_process.name
-  - Effective_process.pid
diff --git a/custom_documentation/src/endpoint/data_stream/process/linux/linux_process_fork.yaml b/custom_documentation/src/endpoint/data_stream/process/linux/linux_process_fork.yaml
index e9f2e8dad..c16587994 100644
--- a/custom_documentation/src/endpoint/data_stream/process/linux/linux_process_fork.yaml
+++ b/custom_documentation/src/endpoint/data_stream/process/linux/linux_process_fork.yaml
@@ -75,6 +75,7 @@ fields:
   - process.args
   - process.args_count
   - process.command_line
+  - process.end
   - process.entity_id
   - process.entry_leader.args
   - process.entry_leader.args_count
@@ -105,6 +106,7 @@ fields:
   - process.entry_leader.working_directory
   - process.env_vars
   - process.executable
+  - process.exit_code
   - process.group.id
   - process.group.name
   - process.group_leader.args