Event as another first-class citizen

[subbyte]

To simplify the design for Kestrel, we started with entity as first-class citizen. This covers horizontal lines in a Computation Graph (GC). To fully express a GC, we need a way to express the vertical lines, i.e., events that connect entities.

Events are useful in connecting entities (actually entities do not connect by themselves, but always connect via events in GC). They are also useful in reasoning, e.g., viewing network connections as events between a process and an IP, the events are useful analyzing the connection frequency and pattern.

In conventional record-based reasoning, lots of data sources define each event as a record, making it a bonus: if Kestrel can express events, one can perform conventional record-based reasoning as a given. Of course, we would like to make appropriate abstraction, so the user does not need to JOIN events/records as in record-based reasoning, which requires dealing with heterogeneous types of records, which is too deep into how to hunt (should be defined in compiler and auto-generated by the layer of Kestrel).

0. STIX have SCO/entity network-traffic, which actually is an event in its essence.
1. The support of x-oca-event in Support for 2nd degree relations #295 .
2. Design the event type and make it referable (and stored in a variable) by users. More specifically, we need to upgrade FIND design since the most fine-grained relation will always be entity-event-entity as illustrated in GC.
3. Normalizing x-oca-event, SRO in STIX 2.1, and STIX observation (many stix-shifter connector yield an observation from a single event; STIX does not define what is the scope of observation, so this is ruled by each stix-shifter connector).