From 2d3e43abc6209d3ac03200e4857816b26611df17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20K=C5=99e=C4=8Dan?=
 <lukas.krecan@sentinelone.com>
Date: Mon, 13 Nov 2023 15:53:49 +0100
Subject: [PATCH 1/2] Copy changes in the metadata.json

---
 objects/metadata.json | 45 ++++++++++++++++++++++++++++++++++---------
 1 file changed, 36 insertions(+), 9 deletions(-)

diff --git a/objects/metadata.json b/objects/metadata.json
index 3125bbce5..f117f92e7 100644
--- a/objects/metadata.json
+++ b/objects/metadata.json
@@ -4,13 +4,28 @@
   "extends": "object",
   "name": "metadata",
   "attributes": {
-    "correlation_uid": {},
+    "correlation_uid": {
+      "requirement": "optional"
+    },
     "event_code": {
       "requirement": "optional"
     },
-    "extension": {},
+    "extension": {
+      "requirement": "optional",
+      "@deprecated": {
+        "message": "Use the <code> extensions </code> attribute instead.",
+        "since": "v1.0.0"
+      }
+    },
+    "extensions": {
+      "requirement": "optional"
+    },
     "labels": {
-      "description": "<p>The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.</p>For example: <code>[\"network\", \"connection.ip:destination\", \"device.ip:source\"]</code>"
+      "description": "<p>The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.</p>For example: <code>[\"network\", \"connection.ip:destination\", \"device.ip:source\"]</code>",
+      "requirement": "optional"
+    },
+    "log_level": {
+      "requirement": "optional"
     },
     "log_name": {
       "requirement": "recommended"
@@ -21,26 +36,38 @@
     "log_version": {
       "requirement": "optional"
     },
-    "logged_time": {},
+    "logged_time": {
+      "requirement": "optional"
+    },
     "modified_time": {
-      "description": "The time when the event was last modified or enriched."
+      "description": "The time when the event was last modified or enriched.",
+      "requirement": "optional"
     },
+    "loggers": {},
     "original_time": {
       "requirement": "recommended"
     },
-    "processed_time": {},
+    "processed_time": {
+      "requirement": "optional"
+    },
     "product": {
       "requirement": "required"
     },
-    "profiles": {},
-    "sequence": {},
+    "profiles": {
+      "requirement": "optional"
+    },
+    "sequence": {
+      "requirement": "optional"
+    },
+    "tenant_uid": {
+      "requirement": "recommended"
+    },
     "uid": {
       "caption": "Event UID",
       "description": "The logging system-assigned unique identifier of an event instance.",
       "requirement": "optional"
     },
     "version": {
-      "default": "1.0.0",
       "description": "The version of the OCSF schema, using Semantic Versioning Specification (<a target='_blank' href='https://semver.org'>SemVer</a>). For example: 1.0.0. Event consumers use the version to determine the available event attributes.",
       "requirement": "required"
     }

From c56fac75393f8b41aef73f8b38d82126f226531a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20K=C5=99e=C4=8Dan?=
 <lukas.krecan@sentinelone.com>
Date: Mon, 13 Nov 2023 16:03:15 +0100
Subject: [PATCH 2/2] Add user_info.json

---
 events/discovery/discovery_result.json | 39 ++++++++++++++++++++++++++
 events/discovery/user_info.json        | 13 +++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 events/discovery/discovery_result.json
 create mode 100644 events/discovery/user_info.json

diff --git a/events/discovery/discovery_result.json b/events/discovery/discovery_result.json
new file mode 100644
index 000000000..03df83d6a
--- /dev/null
+++ b/events/discovery/discovery_result.json
@@ -0,0 +1,39 @@
+{
+  "caption": "Discovery Result",
+  "category": "discovery",
+  "name": "discovery_result",
+  "extends": "base_event",
+  "description": "Discovery Result events report the results of a discovery request.",
+  "profiles": [
+    "host"
+  ],
+  "attributes": {
+    "$include": [
+      "profiles/host.json"
+    ],
+    "activity_id": {
+      "enum": {
+        "1": {
+          "caption": "Exists",
+          "description": "The target was found."
+        },
+        "2": {
+          "caption": "Partial",
+          "description": "The target was partially found."
+        },
+        "3": {
+          "caption": "Does not exist",
+          "description": "The target was not found."
+        },
+        "4": {
+          "caption": "Error",
+          "description": "The discovery attempt failed."
+        },
+        "5": {
+          "caption": "Unsupported",
+          "description": "Discovery of the target was not supported."
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/events/discovery/user_info.json b/events/discovery/user_info.json
new file mode 100644
index 000000000..b4a5ced4a
--- /dev/null
+++ b/events/discovery/user_info.json
@@ -0,0 +1,13 @@
+{
+  "caption": "User Info",
+  "description": "User Info events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.",
+  "extends": "discovery_result",
+  "name": "user_info",
+  "uid": 18,
+  "attributes": {
+    "user": {
+      "group": "primary",
+      "requirement": "required"
+    }
+  }
+}
\ No newline at end of file