We'll consider implementing this and would certainly accept pull requests (as long as the feature has to be enabled using a config option.)

Just as a note: For filtering purposes, this can be done efficiently on the SIEM side, e.g. in Splunk:

| eval cmdline=urldecode(mvjoin('EXECVE.ARGV{}', " "))

An eval in splunk is a field modification that happens at search time. Most other SIEM systems index fields in the form they receive them and don't provide many or efficient methods to combine, split or modify fields at search time but perform these actions at index time. The problem with that is that this is often a custom modification of the indexer logic and differs from user to user.

Since we try to write rules that can be used by all users in the same way and the full command line is the single most important field for which we try to develop rules since day 1, a concatenated command line field would be very helpful.

I agree with @Neo23x0 that most other SIEMs (mine too) lack functionality to combine fields at search time. For example, even in ELK you can achieve this by scripting but that is not recommended as it causes performance hit.

The main reason why LAUREL exists in the first place - because even with splunk, decoding, combining (which requires for-each) on a dynamic list of a0, aX[] fields is not possible.

However, one thing to keep in mind though: Even with a joined array, For "plaintext" commandlines, urldecode is necessary - either at index or searchtime. This cannot be done by LAUREL, otherwise the transfer with json wouldn't be without information loss. And where that leads us is back to [aX=DEADBEEF].