From 9deadc6bba56dc361e95133e4ab9854bacb3c926 Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Tue, 13 Aug 2024 13:03:08 -0400
Subject: [PATCH] Create `OSINT Inventory Info` Discovery Event (#1154)

Adds a `OSINT Inventory Info` event to the Discovery category to
represent retrieval of OSINT, CTI, and other enrichment data from TIPs,
XDRs, and other sources of OSINT/CTI

---------

Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
---
 CHANGELOG.md                               |  6 ++++++
 events/discovery/osint_inventory_info.json | 19 +++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 events/discovery/osint_inventory_info.json

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a1169270d..5ba1230a6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,12 @@ Thankyou! -->
 
 -->
 
+## [Unreleased]
+
+### Added
+* #### Event Classes
+    1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
+
 ## [v1.3.0] - August 1st, 2024
 
 ### Added
diff --git a/events/discovery/osint_inventory_info.json b/events/discovery/osint_inventory_info.json
new file mode 100644
index 000000000..a00cf5c3e
--- /dev/null
+++ b/events/discovery/osint_inventory_info.json
@@ -0,0 +1,19 @@
+{
+    "caption": "OSINT Inventory Info",
+    "description": "OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.",
+    "extends": "discovery",
+    "name": "osint_inventory_info",
+    "uid": 21,
+    "attributes": {
+        "actor": {
+            "description": "The actor describes the process that was the source of the inventory activity. In the case of OSINT inventory data, that could be a particular process or script that is run to scrape the OSINT or threat intelligence data. For example, it could be a Python process that runs to pull data from a MISP or Shodan API.",
+            "group": "context",
+            "requirement": "optional"
+        },
+        "osint": {
+            "group": "primary",
+            "requirement": "required",
+            "description": "The OSINT that is being discovered by an inventory process."
+        }
+    }
+}
\ No newline at end of file