[EVENT] - Collection Map
OSINT-047 Real-Time Event Monitoring - collection workspace. Central topic = the monitored event class (or event domain / geolocation / threshold). Branches = detection criteria, collection lanes, threat actors, and environment data that sustain the standing watch for this subscription. Drop each collected or newly-observed value as a child node; expand it with source, date observed, and which tripwire (if any) it fired. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-047. Requires a seeding baseline: ingest OSINT-046-event-threat-and-risk-assessment or OSINT-031-country-risk-assessment before standing up collection lanes.
00 · Collection Plan - PIRs & EEIs
The standing intelligence requirements and essential elements of information (EEI) this service must keep current. Tick when satisfied for the reporting cycle; re-open each cycle. Maps to §1 Scope & Watch Criteria/Tripwires, §4 Escalation & Notification Triggers, and the ongoing gaps register (§99 Admin).
PIR-1 - Are all defined event-class tripwires being monitored with no coverage gap?
- EEI: each §1 event-class row has an active, healthy collection lane assigned
- EEI: all observable indicators confirmed reachable through lawful source lanes
- EEI: seeding baseline (threat assessment / country risk) ingested and reflected in watch criteria
- EEI: scope boundaries (in / out of scope) confirmed with client for this cycle
PIR-2 - Has any defined tripwire threshold been crossed or approached since last cycle?
- EEI: each §1 tripwire checked against current observed indicator values
- EEI: any near-miss (threshold approached within%) documented and escalated per §4
- EEI: false-positive events reviewed and watch criteria adjusted if required
PIR-3 - Has the threat actor or persons-of-interest (POI) picture changed?
- EEI: known threat actors re-screened for new activity, statements, or mobilisation signals
- EEI: new POIs surfaced through online chatter, social signals, or reporting
- EEI: existing POI status (active / dormant / neutralised) re-confirmed
PIR-4 - Has the online threat or social-signal environment changed materially?
- EEI: social media / dark-web chatter volume and sentiment compared to prior cycle baseline
- EEI: new credible threat statements, incitement, or call-to-action content detected
- EEI: new relevant hashtags, channels, or coordinating accounts identified
PIR-5 - Are all collection lanes healthy and delivering within SLA?
- EEI: each §2 source lane returned data within its scheduled cadence
- EEI: no source lane degradation or access failure unresolved
- EEI: previous-cycle gaps/RFIs resolved or carried forward with rationale
PIR-6 - Does the venue / geography / local environment picture remain current?
- EEI: venue access controls and ingress/egress status unchanged or change noted
- EEI: local security, LE, or emergency-service availability confirmed current
- EEI: infrastructure or environmental change (construction, crowd conditions) noted
Collection gaps / RFIs (running)
- [open item from current cycle] → route to [product / analyst / external request]
- [open item]
00b · Monitoring Cadence & Triggers
OSINT-047 is a retained continuous monitoring service. This branch governs the watch schedule, refresh cadence per lane, alert thresholds, and escalation path. → feeds §1 Scope & Watch Criteria/Tripwires, §2 Collection Cadence & Sources, §3 Reporting Cadence & Product Format, §4 Escalation & Notification Triggers, §5 Service Levels (SLA).
Active watch items (per §1 of deliverable)
Seed one block per §1 event-class row. Clone per watch item. Risk-score using L×I key reproduced in §4 of the deliverable (1–5 × 1–5 = 1–25).
- [watch item - e.g. mass-casualty incident within defined geofence]
- Observable indicator:
- Tripwire threshold:
- Likelihood (1–5):
- Impact (1–5):
- L×I score:
- Severity tier: [Critical 21–25 / High 16–20 / Elevated 11–15 / Moderate-Low 1–10]
- Escalation route (→ §4 tier):
- Status this cycle: [Open / Fired / Clear]
- Notes / tool output:
- [watch item 2]
Collection-lane refresh cadence
Map each §2 source lane to its scheduled check frequency and last-run timestamp.
- [lane - e.g. social-media keyword monitor]
- Event class(es) served:
- Cadence: [continuous / real-time / hourly / daily / weekly]
- Last run:
- Next scheduled:
- Source grade (Admiralty):
- Owner / collector:
- Status: [Healthy / Degraded / Offline]
- [lane 2]
Alert thresholds & escalation path (per §4)
- Critical (L×I 21–25): notify within - method: - acknowledge by:
- High (L×I 16–20): notify within - method: - acknowledge by:
- Elevated (L×I 11–15): notify within - method: - acknowledge by:
- Moderate / Low (L×I 1–10): include in next routine product - method:
- False-positive protocol:
Routine reporting schedule (per §3)
- Real-time tripwire alert: on-event per §4 - last fired:
- Routine event summary: cadence - next due: - recipient:
- Service-health / SLA report: cadence - next due:
Cycle review log
- [cycle - e.g. 2026-W25]
- Tripwires fired:
- Near-misses:
- Gaps carried forward:
- Watch-list changes:
- SLA compliance:
- Notes:
01 · Event Definition & Scope
Capture the agreed event class, monitoring domain, geographic scope, and the seeding baseline product that established the event definition. Any scope change requires formal change-control per §6. → feeds §1 Scope & Watch Criteria/Tripwires, §2 Collection Cadence & Sources, Annex B Onboarding/Offboarding Checklist.
Event class / monitoring domain
- Event class:
- Geographic scope / geofence:
- Threshold domain (if non-geographic):
- Engagement authority / consent basis:
- Term / period of performance:
Seeding baseline product
- Seeding product (reference):
- Date ingested:
- Key threat picture carried in:
- Gaps identified at seeding:
Scope boundaries (per deliverable Scope, Authorities & Limitations)
- In scope:
- Out of scope:
- Routes to (seeding):
- Routes to (staffed services / GSOC):
Client / sponsor
- Client name:
- Service name (contract):
- Classification & handling:
- Service owner / author:
02 · Venue & Geography
Physical space, layout, and access associated with the monitored event or domain. Open-source mapping and imagery only; no covert/physical reconnaissance. → feeds §1 Scope & Watch Criteria/Tripwires (venue-change tripwire), §2 Collection Cadence & Sources (venue monitoring lane).
Venue / site identification
- [venue / site - e.g. stadium, transit hub, city zone]
- Address / coordinates:
- Type / function:
- Capacity / footprint:
- Verified via (source):
- Date checked:
- [venue 2]
Ingress / egress points
Clone per access point. Changes from baseline are a potential tripwire.
- [access point - e.g. Gate A, north vehicle entrance]
- Type: [pedestrian / vehicle / service / emergency]
- Status: [Open / Closed / Restricted]
- Change from baseline: [Y/N]
- Source:
- Notes / tool output: ← Google Maps, satellite imagery, official venue feeds
- [access point 2]
Site layout & mapping
- Floor-plan / map reference:
- Choke-points or high-density areas noted:
- Surveillance / CCTV coverage observed (open source):
- Adjacent infrastructure (parking, transport nodes):
Environmental / construction changes
- [change - e.g. road closure, temporary structure]
- Date observed:
- Source:
- Impact on monitored event class:
03 · Routes & Movement
Movement patterns associated with the monitored domain: transport links, crowd-flow, vehicle access routes, and any route-change signals. Clone the block per route leg. → feeds §1 Scope & Watch Criteria/Tripwires (route-disruption tripwire), §2 Collection Cadence & Sources.
Route legs
Clone per route or transport link.
- [route leg - e.g. main arterial from hub to venue]
- Mode: [vehicle / pedestrian / rail / air / maritime]
- Origination / destination:
- Nominal transit time:
- Choke-points / vulnerability noted:
- Current status: [Clear / Disrupted / Closed]
- Date checked:
- Source / URL:
- Notes / tool output: ← traffic feeds, transit authority bulletins, mapping APIs
- [route leg 2]
Transport hub status
- [hub - e.g. airport, rail terminal]
- Status: [Operational / Disrupted / Closed]
- Date checked:
- Source:
Crowd-flow and mass-movement signals
- Expected crowd volume:
- Peak ingress / egress windows:
- Anomalous crowd signals this cycle:
- Source:
- Tripwire fired: [Y/N - tier]
04 · Threat Actors & Persons of Interest
Individuals or groups assessed as potential threats to the monitored event class. Grade each attribution; never assert without basis. Clone the block per actor. → feeds §1 Scope & Watch Criteria/Tripwires (threat-actor activation tripwire), §4 Escalation & Notification Triggers, Annex A Source & Watch-List Register.
Threat actor / group
Clone per known or suspected actor.
- [actor - e.g. group name / alias]
- Type: [individual / group / network]
- Motivation: [ideological / criminal / personal / unknown]
- Capability level: [High / Medium / Low / Unknown]
- Current activity status: [Active / Dormant / Unknown]
- Last observed activity:
- Observable indicators monitored:
- Source(s):
- Attribution confidence: [Confirmed / Probable / Possible]
- Escalation tier if activated:
- Notes / tool output: ← social media monitors, adverse-media search, dark-web lane
- [actor 2]
Person of interest (POI)
Clone per POI identified from chatter or reporting.
- [POI - name or alias]
- Selectors known:
- Platform(s) monitored:
- Connection to event class:
- Threat basis:
- Attribution confidence: [Confirmed / Probable / Possible]
- Status this cycle: [Active / Dormant / No new activity]
- Escalation tier if activated:
- Notes / tool output: ← username search via sherlock/whatsmyname, social graph
- [POI 2]
05 · Threat Landscape - Incidents, History & Online Chatter
Historical incidents and current chatter relevant to the monitored event class. Volume and sentiment shifts are themselves leading indicators; track them each cycle. → feeds §1 Scope & Watch Criteria/Tripwires, §4 Escalation & Notification Triggers, §5 Service Levels (SLA - detection latency).
Prior incidents (baseline)
- [incident - e.g. prior attack / disruption of same event class]
- Date:
- Type / MO:
- Location:
- Outcome / severity:
- Relevance to current watch:
- Source grade:
- [incident 2]
Online chatter - monitored keywords / channels
Clone per keyword set or platform. Volume change is a quantifiable indicator.
- [keyword set / channel - e.g. “#EventName” on X / Telegram group / forum]
- Platform:
- Current volume (posts/day or similar):
- Baseline volume:
- Sentiment: [Neutral / Negative / Threatening / Mixed]
- Credible threat statements detected: [Y/N - specify]
- Incitement or call-to-action detected: [Y/N - specify]
- Date checked:
- Tripwire fired: [Y/N - tier]
- Notes / tool output: ← social search APIs, TweetDeck/Nitter, Telegram monitors
- [keyword set 2]
Dark-web / closed-source chatter
- [mention / forum / market listing]
- Platform / URL (sanitised):
- Date observed:
- Substance (brief):
- Credibility: [H/M/L]
- Tripwire fired: [Y/N - tier]
- Notes / tool output:
Incident log (this cycle)
- [new incident or significant development]
- Date / time:
- Description:
- Tripwire fired: [Y/N - tier]
- Source grade:
06 · Vulnerabilities & Attack Surface
Known or observable vulnerabilities in the event environment: physical gaps, digital exposures, and process weaknesses that could be exploited. Open-source only. → feeds §1 Scope & Watch Criteria/Tripwires (vulnerability-change tripwire), §4 Escalation & Notification Triggers.
Physical / venue vulnerabilities
- [vulnerability - e.g. unsecured perimeter segment, unmonitored entrance]
- Location:
- Severity: [High / Medium / Low]
- Observable via (source):
- Status: [Unmitigated / Mitigated / Unknown]
- Change from last cycle: [Y/N]
- Notes:
- [vulnerability 2]
Digital / cyber exposures (event-related)
Domain or platform exposures relevant to the monitored event (ticketing, livestream, communications).
- [digital exposure - e.g. event ticketing site, official social accounts]
- Asset:
- Exposure type:
- Source / basis:
- Notes / tool output: ← shodan (passive), whois, crt.sh, haveibeenpwned
- [exposure 2]
Process / security-posture gaps
- [gap - e.g. no visible bag-check protocol, no public counter-UAS measures]
- Basis (observed):
- Severity: [High / Medium / Low]
- Change from last cycle: [Y/N]
07 · Local Environment - Security, Emergency Services & Infrastructure
Steady-state and changed-condition data on the local security, medical, and infrastructure environment that shapes response capability and risk. → feeds §1 Scope & Watch Criteria/Tripwires, §2 Collection Cadence & Sources, §6 Review & Renewal (scope adjustment if local conditions change materially).
Law enforcement presence & status
- [jurisdiction / agency]
- Coverage of monitored area:
- Known posture this cycle:
- Source:
- Change from last cycle: [Y/N]
- Notes:
Emergency / medical services
- [service - e.g. nearest trauma centre, EMS response zone]
- Coverage / response-time estimate:
- Status: [Operational / Reduced / Unknown]
- Source:
- Change from last cycle: [Y/N]
Critical infrastructure status
- [infrastructure - e.g. power grid, communications, water]
- Status: [Nominal / Disrupted / Unknown]
- Date checked:
- Source:
- Impact on event monitoring if degraded:
Special events & mass gatherings (concurrent)
- [concurrent event that may affect coverage or threat level]
- Dates:
- Proximity to monitored domain:
- Risk interaction:
- Source:
08 · Digital & Social Signals
Real-time and near-real-time signals from the open digital environment relevant to the monitored event class. Includes social media, official feeds, news wires, and platform health. New accounts, hashtags, or coordinating clusters are each a potential alert. → feeds §1 Scope & Watch Criteria/Tripwires (social-signal tripwire), §2 Collection Cadence & Sources, §3 Reporting Cadence & Product Format, PIR-4.
Monitored social media accounts / pages (official)
Clone per account. Changes in posting cadence or content are tracked.
- [account - e.g. official event organiser account on X / Instagram]
- Platform / URL:
- Status: [Active / Dormant / Suspended / New]
- Last post / activity:
- Notable content this cycle:
- Anomaly detected: [Y/N - specify]
- Notes:
Monitored keywords / hashtags
Clone per keyword set. Volume and sentiment deltas are quantified.
- [keyword / hashtag - e.g. EventName, location string, known alias]
- Platform(s):
- Current volume:
- Baseline:
- Sentiment delta:
- Notable posts / accounts:
- Tripwire fired: [Y/N - tier]
- Notes / tool output: ← social search APIs, Nitter, TweetDeck, CrowdTangle equivalents
News & wire monitoring
- [news source / wire - e.g. Reuters, AP, local outlet]
- Lane type: [RSS / alert / manual check]
- Cadence:
- Notable items this cycle:
- Source grade:
Platform / infrastructure health (event-related digital assets)
- [digital asset - e.g. event website, ticketing platform, livestream]
- Status: [Operational / Degraded / Offline]
- Date checked:
- Notes / tool output: ← uptime monitors, isitdown, shodan passive
09 · Indicators & Warnings
The forward-looking layer: leading indicators, precursor activity, and warning signals that anticipate a tripwire crossing before it fires. Seed one block per indicator class; the operator updates observed status each cycle. Clone per indicator. → feeds §1 Scope & Watch Criteria/Tripwires (all rows), §4 Escalation & Notification Triggers, §5 Service Levels (SLA - detection latency), PIR-2.
Indicator / warning
Clone per indicator class tracked.
- [indicator - e.g. elevated online threat rhetoric targeting event class]
- Observable precursor:
- Detection method / source lane:
- Threshold for escalation:
- Current observed status: [Below threshold / At threshold / Threshold crossed]
- Date last assessed:
- Trend: [Stable / Increasing / Decreasing]
- Tripwire fired: [Y/N - tier]
- Notes / tool output:
- [indicator 2]
Warning intelligence (WI) log
- [WI item - credible warning received or assessed]
- Source:
- Date received:
- Credibility (Admiralty 1–6):
- Substance:
- Action taken:
- Escalation tier:
I&W summary - current cycle assessment
- Overall I&W posture: [Below threshold / Elevated / Warning / Imminent]
- Key drivers:
- Recommended action:
- Date assessed:
99 · Collection Admin
Working register - not a deliverable section, but the audit trail behind the service. → feeds Annex A Source & Watch-List Register, Annex B Onboarding/Offboarding Checklist, §5 Service Levels (SLA), §6 Review & Renewal.
Source register
Every material datum traceable to a graded source. Grade per NATO Admiralty (A–F × 1–6).
- [S-1 - source / lane name]
- Type: [Primary / Secondary / Tertiary]
- Reliability (A–F) / Credibility (1–6):
- Cadence / last accessed:
- Event class(es) served:
- Lane health: [Healthy / Degraded / Offline]
- Notes:
- [S-2]
Evidence archive
- [screenshot / capture ref + hash + URL + timestamp]:
SLA compliance log (per §5)
- [metric - e.g. alert delivery time, Critical tier]
- Target:
- Achieved this cycle:
- Miss / credit triggered: [Y/N]
- Notes:
Onboarding / offboarding checklist status (per Annex B)
- Authority / consent captured and on file
- Scope boundaries signed off by client
- Seeding baseline (threat assessment / country risk) ingested
- Watch criteria / tripwires per §1 configured
- Collection lanes per §2 stood up and verified
- Reporting products per §3 configured and recipient list confirmed
- Escalation paths per §4 tested and acknowledged by all parties
- SLA targets per §5 documented and agreed
- Data retention / destruction schedule documented
- Offboarding / data-return / purge terms documented
Open gaps / verification pending (carry-forward)
- [item outstanding - source, date opened, routing]
- [item]
Watch-list change log
- [date] - [event class / tripwire added / retired / threshold adjusted] - authorized by:
Service review log (per §6)
- [review date] - [items discussed / scope changes approved / renewal status]: