diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go
new file mode 100644
index 0000000000..df61c3b935
--- /dev/null
+++ b/code/go/ecs/code_signature.go
@@ -0,0 +1,46 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// Code generated by scripts/gocodegen.go - DO NOT EDIT.
+
+package ecs
+
+// These fields contain information about binary code signatures.
+type CodeSignature struct {
+	// Boolean to capture if a signature is present.
+	Exists bool `ecs:"exists"`
+
+	// Subject name of the code signer
+	SubjectName string `ecs:"subject_name"`
+
+	// Boolean to capture if the digital signature is verified against the
+	// binary content.
+	// Leave unpopulated if a certificate was unchecked.
+	Valid bool `ecs:"valid"`
+
+	// Stores the trust status of the certificate chain.
+	// Validating the trust of the certificate chain may be complicated, and
+	// this field should only be populated by tools that actively check the
+	// status.
+	Trusted bool `ecs:"trusted"`
+
+	// Additional information about the certificate status.
+	// This is useful for logging cryptographic errors with the certificate
+	// validity or trust status. Leave unpopulated if the validity or trust of
+	// the certificate was unchecked.
+	Status string `ecs:"status"`
+}
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 10dd88f038..7fe3b44c09 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -550,6 +550,101 @@ example: `us-east-1`
 
 |=====
 
+[[ecs-code_signature]]
+=== Code Signature Fields
+
+These fields contain information about binary code signatures.
+
+==== Code Signature Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| code_signature.exists
+| Boolean to capture if a signature is present.
+
+type: boolean
+
+
+
+example: `true`
+
+| core
+
+// ===============================================================
+
+| code_signature.status
+| Additional information about the certificate status.
+
+This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+
+
+example: `ERROR_UNTRUSTED_ROOT`
+
+| extended
+
+// ===============================================================
+
+| code_signature.subject_name
+| Subject name of the code signer
+
+type: keyword
+
+
+
+example: `Microsoft Corporation`
+
+| core
+
+// ===============================================================
+
+| code_signature.trusted
+| Stores the trust status of the certificate chain.
+
+Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+
+
+example: `true`
+
+| extended
+
+// ===============================================================
+
+| code_signature.valid
+| Boolean to capture if the digital signature is verified against the binary content.
+
+Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+
+
+example: `true`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+==== Field Reuse
+
+The `code_signature` fields are expected to be nested at: `dll.code_signature`, `file.code_signature`, `process.code_signature`, `process.parent.code_signature`.
+
+Note also that the `code_signature` fields are not expected to be used directly at the top level.
+
+
+
+
 [[ecs-container]]
 === Container Fields
 
@@ -925,6 +1020,12 @@ example: `C:\Windows\System32\kernel32.dll`
 // ===============================================================
 
 
+| <<ecs-code_signature,dll.code_signature.*>>
+| These fields contain information about binary code signatures.
+
+// ===============================================================
+
+
 | <<ecs-hash,dll.hash.*>>
 | Hashes, usually file hashes.
 
@@ -2049,6 +2150,12 @@ example: `1001`
 // ===============================================================
 
 
+| <<ecs-code_signature,file.code_signature.*>>
+| These fields contain information about binary code signatures.
+
+// ===============================================================
+
+
 | <<ecs-hash,file.hash.*>>
 | Hashes, usually file hashes.
 
@@ -4198,6 +4305,12 @@ example: `/home/alice`
 // ===============================================================
 
 
+| <<ecs-code_signature,process.code_signature.*>>
+| These fields contain information about binary code signatures.
+
+// ===============================================================
+
+
 | <<ecs-hash,process.hash.*>>
 | Hashes, usually file hashes.
 
diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
index 47f60f48da..4afae5ded9 100644
--- a/docs/fields.asciidoc
+++ b/docs/fields.asciidoc
@@ -28,6 +28,8 @@ all fields are defined.
 
 | <<ecs-cloud,Cloud>> | Fields about the cloud resource.
 
+| <<ecs-code_signature,Code Signature>> | These fields contain information about binary code signatures.
+
 | <<ecs-container,Container>> | Fields describing the container that generated this event.
 
 | <<ecs-destination,Destination>> | Fields about the destination side of a network connection, used with source.
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 8a66797378..9fd24ef4ea 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -429,6 +429,54 @@
       ignore_above: 1024
       description: Region in which this host is running.
       example: us-east-1
+  - name: code_signature
+    title: Code Signature
+    group: 2
+    description: These fields contain information about binary code signatures.
+    type: group
+    fields:
+    - name: exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
   - name: container
     title: Container
     group: 2
@@ -709,6 +757,48 @@
       * Dynamic library (`.dylib`) commonly used on macOS'
     type: group
     fields:
+    - name: code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
     - name: hash.md5
       level: extended
       type: keyword
@@ -1288,6 +1378,48 @@
         execute, hidden, read, readonly, system, write.'
       example: '["readonly", "system"]'
       default_field: false
+    - name: code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
     - name: created
       level: extended
       type: date
@@ -2549,6 +2681,48 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
+    - name: code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
     - name: command_line
       level: extended
       type: keyword
@@ -2639,6 +2813,48 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
+    - name: parent.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: parent.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: parent.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: parent.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: parent.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
     - name: parent.command_line
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 4af0e4ebe8..3f59cc6fc5 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -51,6 +51,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.5.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
 1.5.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
 1.5.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.5.0-dev,true,code_signature,code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.5.0-dev,true,code_signature,code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.5.0-dev,true,code_signature,code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.5.0-dev,true,code_signature,code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.5.0-dev,true,code_signature,code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.5.0-dev,true,container,container.id,keyword,core,,,Unique container id.
 1.5.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
 1.5.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
@@ -90,6 +95,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.5.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifiers of the user.
 1.5.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
 1.5.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.5.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.5.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.5.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.5.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.5.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.5.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
 1.5.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
 1.5.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
@@ -150,6 +160,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.5.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
 1.5.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
 1.5.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.5.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.5.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.5.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.5.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.5.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.5.0-dev,true,file,file.created,date,extended,,,File creation time.
 1.5.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
 1.5.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
@@ -321,6 +336,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.5.0-dev,true,pe,pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 1.5.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
 1.5.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+1.5.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.5.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.5.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.5.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.5.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.5.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.5.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.5.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
@@ -334,6 +354,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.5.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
 1.5.0-dev,true,process,process.parent.args,keyword,extended,array,"['ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
 1.5.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+1.5.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.5.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.5.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.5.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.5.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.5.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.5.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.5.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 2311f18445..6ecb6dda93 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -627,6 +627,79 @@ cloud.region:
   order: 2
   short: Region in which this host is running.
   type: keyword
+code_signature.exists:
+  dashed_name: code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  order: 0
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+code_signature.status:
+  dashed_name: code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  order: 4
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+code_signature.subject_name:
+  dashed_name: code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  order: 1
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+code_signature.trusted:
+  dashed_name: code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  order: 3
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+code_signature.valid:
+  dashed_name: code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  order: 2
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
 container.id:
   dashed_name: container-id
   description: Unique container id.
@@ -1110,6 +1183,79 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+dll.code_signature.exists:
+  dashed_name: dll-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: dll.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  order: 0
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+dll.code_signature.status:
+  dashed_name: dll-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: dll.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  order: 4
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+dll.code_signature.subject_name:
+  dashed_name: dll-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: dll.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  order: 1
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+dll.code_signature.trusted:
+  dashed_name: dll-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: dll.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  order: 3
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+dll.code_signature.valid:
+  dashed_name: dll-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: dll.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  order: 2
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
 dll.hash.md5:
   dashed_name: dll-hash-md5
   description: MD5 hash.
@@ -2258,6 +2404,79 @@ file.attributes:
   order: 1
   short: Array of file attributes.
   type: keyword
+file.code_signature.exists:
+  dashed_name: file-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: file.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  order: 0
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+file.code_signature.status:
+  dashed_name: file-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: file.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  order: 4
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+file.code_signature.subject_name:
+  dashed_name: file-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: file.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  order: 1
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+file.code_signature.trusted:
+  dashed_name: file-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: file.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  order: 3
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+file.code_signature.valid:
+  dashed_name: file-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: file.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  order: 2
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
 file.created:
   dashed_name: file-created
   description: 'File creation time.
@@ -4435,6 +4654,79 @@ process.args_count:
   order: 12
   short: Length of the process.args array.
   type: long
+process.code_signature.exists:
+  dashed_name: process-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  order: 0
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.code_signature.status:
+  dashed_name: process-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  order: 4
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.code_signature.subject_name:
+  dashed_name: process-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  order: 1
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.code_signature.trusted:
+  dashed_name: process-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  order: 3
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.code_signature.valid:
+  dashed_name: process-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  order: 2
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
 process.command_line:
   dashed_name: process-command-line
   description: 'Full command line that started the process, including the absolute
@@ -4587,6 +4879,79 @@ process.parent.args_count:
   order: 13
   short: Length of the process.args array.
   type: long
+process.parent.code_signature.exists:
+  dashed_name: process-parent-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.parent.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  order: 0
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.parent.code_signature.status:
+  dashed_name: process-parent-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.parent.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  order: 4
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.parent.code_signature.subject_name:
+  dashed_name: process-parent-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.parent.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  order: 1
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.parent.code_signature.trusted:
+  dashed_name: process-parent-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.parent.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  order: 3
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.parent.code_signature.valid:
+  dashed_name: process-parent-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.parent.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  order: 2
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
 process.parent.command_line:
   dashed_name: process-parent-command-line
   description: 'Full command line that started the process, including the absolute
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index c0016813c9..c20207a5cb 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -766,6 +766,90 @@ cloud:
   short: Fields about the cloud resource.
   title: Cloud
   type: group
+code_signature:
+  description: These fields contain information about binary code signatures.
+  fields:
+    exists:
+      dashed_name: code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      order: 0
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    status:
+      dashed_name: code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      order: 4
+      short: Additional information about the certificate status.
+      type: keyword
+    subject_name:
+      dashed_name: code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      order: 1
+      short: Subject name of the code signer
+      type: keyword
+    trusted:
+      dashed_name: code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      order: 3
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    valid:
+      dashed_name: code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      order: 2
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+  group: 2
+  name: code_signature
+  prefix: code_signature.
+  reusable:
+    expected:
+    - file
+    - process
+    - process.parent
+    - dll
+    top_level: false
+  short: These fields contain information about binary code signatures.
+  title: Code Signature
+  type: group
 container:
   description: 'Container fields are used for meta information about the specific
     container that is the source of information.
@@ -1290,6 +1374,79 @@ dll:
 
     * Dynamic library (`.dylib`) commonly used on macOS'
   fields:
+    code_signature.exists:
+      dashed_name: dll-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: dll.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      order: 0
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    code_signature.status:
+      dashed_name: dll-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: dll.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      order: 4
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    code_signature.subject_name:
+      dashed_name: dll-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: dll.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      order: 1
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    code_signature.trusted:
+      dashed_name: dll-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: dll.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      order: 3
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    code_signature.valid:
+      dashed_name: dll-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: dll.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      order: 2
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
     hash.md5:
       dashed_name: dll-hash-md5
       description: MD5 hash.
@@ -1432,6 +1589,7 @@ dll:
   group: 2
   name: dll
   nestings:
+  - code_signature
   - hash
   - pe
   prefix: dll.
@@ -2522,6 +2680,79 @@ file:
       order: 1
       short: Array of file attributes.
       type: keyword
+    code_signature.exists:
+      dashed_name: file-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: file.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      order: 0
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    code_signature.status:
+      dashed_name: file-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: file.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      order: 4
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    code_signature.subject_name:
+      dashed_name: file-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: file.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      order: 1
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    code_signature.trusted:
+      dashed_name: file-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: file.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      order: 3
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    code_signature.valid:
+      dashed_name: file-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: file.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      order: 2
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
     created:
       dashed_name: file-created
       description: 'File creation time.
@@ -2868,6 +3099,7 @@ file:
   group: 2
   name: file
   nestings:
+  - code_signature
   - hash
   - pe
   prefix: file.
@@ -4850,6 +5082,79 @@ process:
       order: 12
       short: Length of the process.args array.
       type: long
+    code_signature.exists:
+      dashed_name: process-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      order: 0
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    code_signature.status:
+      dashed_name: process-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      order: 4
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    code_signature.subject_name:
+      dashed_name: process-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      order: 1
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    code_signature.trusted:
+      dashed_name: process-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      order: 3
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    code_signature.valid:
+      dashed_name: process-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      order: 2
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
     command_line:
       dashed_name: process-command-line
       description: 'Full command line that started the process, including the absolute
@@ -5002,6 +5307,79 @@ process:
       order: 13
       short: Length of the process.args array.
       type: long
+    parent.code_signature.exists:
+      dashed_name: process-parent-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.parent.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      order: 0
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    parent.code_signature.status:
+      dashed_name: process-parent-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.parent.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      order: 4
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    parent.code_signature.subject_name:
+      dashed_name: process-parent-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.parent.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      order: 1
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    parent.code_signature.trusted:
+      dashed_name: process-parent-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.parent.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      order: 3
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    parent.code_signature.valid:
+      dashed_name: process-parent-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.parent.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      order: 2
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
     parent.command_line:
       dashed_name: process-parent-command-line
       description: 'Full command line that started the process, including the absolute
@@ -5422,6 +5800,7 @@ process:
   group: 2
   name: process
   nestings:
+  - code_signature
   - hash
   - pe
   prefix: process.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 2bb1fab8bc..6b5099473d 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -270,6 +270,27 @@
             }
           }
         },
+        "code_signature": {
+          "properties": {
+            "exists": {
+              "type": "boolean"
+            },
+            "status": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "subject_name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "trusted": {
+              "type": "boolean"
+            },
+            "valid": {
+              "type": "boolean"
+            }
+          }
+        },
         "container": {
           "properties": {
             "id": {
@@ -461,6 +482,27 @@
         },
         "dll": {
           "properties": {
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
             "hash": {
               "properties": {
                 "md5": {
@@ -728,6 +770,27 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
             "created": {
               "type": "date"
             },
@@ -1539,6 +1602,27 @@
             "args_count": {
               "type": "long"
             },
+            "code_signature": {
+              "properties": {
+                "exists": {
+                  "type": "boolean"
+                },
+                "status": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "subject_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "trusted": {
+                  "type": "boolean"
+                },
+                "valid": {
+                  "type": "boolean"
+                }
+              }
+            },
             "command_line": {
               "fields": {
                 "text": {
@@ -1601,6 +1685,27 @@
                 "args_count": {
                   "type": "long"
                 },
+                "code_signature": {
+                  "properties": {
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
                 "command_line": {
                   "fields": {
                     "text": {
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 7c2e8e7d7a..c721e2004f 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -269,6 +269,27 @@
           }
         }
       },
+      "code_signature": {
+        "properties": {
+          "exists": {
+            "type": "boolean"
+          },
+          "status": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "subject_name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "trusted": {
+            "type": "boolean"
+          },
+          "valid": {
+            "type": "boolean"
+          }
+        }
+      },
       "container": {
         "properties": {
           "id": {
@@ -460,6 +481,27 @@
       },
       "dll": {
         "properties": {
+          "code_signature": {
+            "properties": {
+              "exists": {
+                "type": "boolean"
+              },
+              "status": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "trusted": {
+                "type": "boolean"
+              },
+              "valid": {
+                "type": "boolean"
+              }
+            }
+          },
           "hash": {
             "properties": {
               "md5": {
@@ -727,6 +769,27 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "code_signature": {
+            "properties": {
+              "exists": {
+                "type": "boolean"
+              },
+              "status": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "trusted": {
+                "type": "boolean"
+              },
+              "valid": {
+                "type": "boolean"
+              }
+            }
+          },
           "created": {
             "type": "date"
           },
@@ -1538,6 +1601,27 @@
           "args_count": {
             "type": "long"
           },
+          "code_signature": {
+            "properties": {
+              "exists": {
+                "type": "boolean"
+              },
+              "status": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "trusted": {
+                "type": "boolean"
+              },
+              "valid": {
+                "type": "boolean"
+              }
+            }
+          },
           "command_line": {
             "fields": {
               "text": {
@@ -1600,6 +1684,27 @@
               "args_count": {
                 "type": "long"
               },
+              "code_signature": {
+                "properties": {
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
               "command_line": {
                 "fields": {
                   "text": {
diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml
new file mode 100644
index 0000000000..a4be8cf758
--- /dev/null
+++ b/schemas/code_signature.yml
@@ -0,0 +1,60 @@
+---
+- name: code_signature
+  title: Code Signature
+  group: 2
+  description: These fields contain information about binary code signatures.
+  type: group
+  reusable:
+    top_level: false
+    expected:
+      - file
+      - process
+      - process.parent
+      - dll
+      # - driver
+  fields:
+
+    - name: exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: "true"
+
+    - name: subject_name
+      level: core
+      type: keyword
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+
+    - name: valid
+      level: extended
+      type: boolean
+      short: Boolean to capture if the digital signature is verified against the binary content.
+      example: "true"
+      description: >
+        Boolean to capture if the digital signature is verified against the binary content.
+
+        Leave unpopulated if a certificate was unchecked.
+
+    - name: trusted
+      level: extended
+      type: boolean
+      short: Stores the trust status of the certificate chain.
+      example: "true"
+      description: >
+        Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this field should only be populated
+        by tools that actively check the status.
+
+
+    - name: status
+      level: extended
+      type: keyword
+      short: Additional information about the certificate status.
+      description: >
+        Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity or trust status.
+        Leave unpopulated if the validity or trust of the certificate was unchecked.
+      example: ERROR_UNTRUSTED_ROOT