TrendAI Vision One Threat Intelligence

Query threat intelligence from TrendAI Vision One: feed indicators, intelligence reports, suspicious objects, and threat hunting.

Environment

VISION_ONE_API_KEY (required) — Vision One API token
VISION_ONE_REGION (optional, default: us) — One of: us, eu, jp, sg, au, in, mea

Commands

All commands use: python3 {baseDir}/scripts/v1ti.py [--region REGION] <command> [options]

1. lookup — What do we know about this IOC?

Searches feed indicators and suspicious objects list for a single indicator. Auto-detects IOC type.

python3 {baseDir}/scripts/v1ti.py lookup <indicator> [--days 90]

Examples:

python3 {baseDir}/scripts/v1ti.py lookup 198.51.100.23
python3 {baseDir}/scripts/v1ti.py lookup evil-domain.com --days 30
python3 {baseDir}/scripts/v1ti.py lookup 44d88612fea8a8f36de82e1278abb02f6d1c7e2a
python3 {baseDir}/scripts/v1ti.py lookup "https://malicious.example.com/payload"
python3 {baseDir}/scripts/v1ti.py lookup [email protected]

2. feed — Latest threat indicators

List recent feed indicators with optional risk/type filtering.

python3 {baseDir}/scripts/v1ti.py feed [--days 7] [--risk high|medium|low] [--type ip|domain|url|fileSha1|fileSha256|senderMailAddress] [--limit 50]

Examples:

python3 {baseDir}/scripts/v1ti.py feed --days 3 --risk high --limit 20
python3 {baseDir}/scripts/v1ti.py feed --type domain --days 14

3. report — Intelligence reports

List or view specific intelligence reports.

python3 {baseDir}/scripts/v1ti.py report [--id REPORT_ID] [--search KEYWORD] [--limit 10]

Examples:

python3 {baseDir}/scripts/v1ti.py report --limit 5
python3 {baseDir}/scripts/v1ti.py report --search "ransomware"
python3 {baseDir}/scripts/v1ti.py report --id RPT-12345

4. suspicious list — View suspicious objects

List indicators on the organization's suspicious objects list.

python3 {baseDir}/scripts/v1ti.py suspicious list [--type TYPE] [--limit 50]

5. suspicious add — Block an IOC

Add an indicator to the suspicious objects list. Requires explicit action and risk level (no defaults for safety).

python3 {baseDir}/scripts/v1ti.py suspicious add <indicator> --action block|log --risk high|medium|low [--description "reason"] [--expiry-days 30]

Examples:

python3 {baseDir}/scripts/v1ti.py suspicious add evil.com --action block --risk high --description "Phishing campaign C2"
python3 {baseDir}/scripts/v1ti.py suspicious add 198.51.100.23 --action log --risk medium --expiry-days 30

6. hunt — Threat hunt by criteria

Search for threat indicators by campaign, actor, industry, country, or CVE.

python3 {baseDir}/scripts/v1ti.py hunt [--campaign NAME] [--actor NAME] [--industry NAME] [--country NAME] [--cve CVE-ID] [--days 90] [--limit 50]

vision-one-threat-intel

Install via CLI (Recommended)

TrendAI Vision One Threat Intelligence

Environment

Commands

1. lookup — What do we know about this IOC?

2. feed — Latest threat indicators

3. report — Intelligence reports

4. suspicious list — View suspicious objects

5. suspicious add — Block an IOC

6. hunt — Threat hunt by criteria

Metadata