New `threat_intelligence` Profile

[jonrau-at-queryai]

BLUF: Add a new Profile for threat_intelligence that encompasses several existing, and some new, OCSF objects to provide conditional enrichment via cyber threat intelligence, open source intelligence, and/or analyst commentary. Some elements from STIX2.0 will be borrowed.

Today, there is not a dedicated object or profile to capture CTI or OSINT details. The only recourse for users is to use enrichment which is a plain JSON object without any defined schema or constraints. While this is fine for users who have experience with data modeling standardization and governance, it can lead to missing and/or duplicative data and changes to the schema over time.

This new object & profile will try to re-use existing objects within OCSF that can be used to capture details about various digital signatures, URLs, IP addresses, AS, Organizational, and similar information often gleaned from EDRs/EPPs, TIPs, and OSINT tools.

Additionally, some way to capture analyst comments as well as the campaigns and threat actors indicated by IOCs/IOAs can be fulfilled borrowing (directly or indirectly) from STIX2.0 Campaign and Threat Actor.