[Enhancement] Add Related Code Signature Fields

[MakoWish]

Summary

I would like to request the officialization (is that a real word?) of related.code_signature.* fields into ECS.

Motivation:

There have been quite a few occasions where I want to find any file, DLL, or process that has a certain digital signature. As it is now, I have to do or operations on dll.code_signature.subject_name, file..code_signature.subject_name, and process.code_signature.subject_name. It would be easier to just look at a related.code_signature.subject_name as I often do for things like user names and IP addresses.

Detailed Design:

Provide additional details around the design of the proposed changes.

• Field names
  • related.code_signature.*
• Example values for the fields
  • related.code_signature.subject_name: Google LLC
  • related.code_signature.trusted: true
  • etc.
• Suggested appropriate datatypes
  • Same as already exist in the code_signature schema.
• Any example events that map to the proposed use case(s)

[trisch-me]

@mjwolf we should discuss it if it’s worth to add, seems useful to me

[trisch-me]

hey @MakoWish, do you want to work on it and create RFC first step for this enhancement?