威胁情报查询
vision-one-threat-intel
by andresark
Query TrendAI Vision One threat intelligence. Use when: looking up IOCs (IP, domain, hash, URL, email), checking threat feeds, reading intelligence reports, managing suspicious objects, or hunting threats by industry/campaign/actor/CVE. Triggers on: threat intel, IOC lookup, threat feed, suspicious object, Vision One, TrendAI, threat hunting, indicator of compromise.
安装
claude skill add --url https://github.com/openclaw/skills文档
TrendAI Vision One Threat Intelligence
Query threat intelligence from TrendAI Vision One: feed indicators, intelligence reports, suspicious objects, and threat hunting.
Environment
VISION_ONE_API_KEY(required) — Vision One API tokenVISION_ONE_REGION(optional, default:us) — One of:us,eu,jp,sg,au,in,mea
Commands
All commands use: python3 {baseDir}/scripts/v1ti.py [--region REGION] <command> [options]
1. lookup — What do we know about this IOC?
Searches feed indicators and suspicious objects list for a single indicator. Auto-detects IOC type.
python3 {baseDir}/scripts/v1ti.py lookup <indicator> [--days 90]
Examples:
python3 {baseDir}/scripts/v1ti.py lookup 198.51.100.23
python3 {baseDir}/scripts/v1ti.py lookup evil-domain.com --days 30
python3 {baseDir}/scripts/v1ti.py lookup 44d88612fea8a8f36de82e1278abb02f6d1c7e2a
python3 {baseDir}/scripts/v1ti.py lookup "https://malicious.example.com/payload"
python3 {baseDir}/scripts/v1ti.py lookup attacker@phishing.com
2. feed — Latest threat indicators
List recent feed indicators with optional risk/type filtering.
python3 {baseDir}/scripts/v1ti.py feed [--days 7] [--risk high|medium|low] [--type ip|domain|url|fileSha1|fileSha256|senderMailAddress] [--limit 50]
Examples:
python3 {baseDir}/scripts/v1ti.py feed --days 3 --risk high --limit 20
python3 {baseDir}/scripts/v1ti.py feed --type domain --days 14
3. report — Intelligence reports
List or view specific intelligence reports.
python3 {baseDir}/scripts/v1ti.py report [--id REPORT_ID] [--search KEYWORD] [--limit 10]
Examples:
python3 {baseDir}/scripts/v1ti.py report --limit 5
python3 {baseDir}/scripts/v1ti.py report --search "ransomware"
python3 {baseDir}/scripts/v1ti.py report --id RPT-12345
4. suspicious list — View suspicious objects
List indicators on the organization's suspicious objects list.
python3 {baseDir}/scripts/v1ti.py suspicious list [--type TYPE] [--limit 50]
5. suspicious add — Block an IOC
Add an indicator to the suspicious objects list. Requires explicit action and risk level (no defaults for safety).
python3 {baseDir}/scripts/v1ti.py suspicious add <indicator> --action block|log --risk high|medium|low [--description "reason"] [--expiry-days 30]
Examples:
python3 {baseDir}/scripts/v1ti.py suspicious add evil.com --action block --risk high --description "Phishing campaign C2"
python3 {baseDir}/scripts/v1ti.py suspicious add 198.51.100.23 --action log --risk medium --expiry-days 30
6. hunt — Threat hunt by criteria
Search for threat indicators by campaign, actor, industry, country, or CVE.
python3 {baseDir}/scripts/v1ti.py hunt [--campaign NAME] [--actor NAME] [--industry NAME] [--country NAME] [--cve CVE-ID] [--days 90] [--limit 50]
Examples:
python3 {baseDir}/scripts/v1ti.py hunt --industry Finance --days 30
python3 {baseDir}/scripts/v1ti.py hunt --actor APT29 --limit 20
python3 {baseDir}/scripts/v1ti.py hunt --cve CVE-2024-3400 --days 60
python3 {baseDir}/scripts/v1ti.py hunt --country "United States" --industry Healthcare
Output Format
All output is structured plain text with clear section headers and key-value pairs. No raw JSON is returned.
Error Format
Errors follow a three-part template:
ERROR: <what went wrong>
EXPECTED: <what was expected>
EXAMPLE: <correct usage example>
Supported IOC Types
The lookup and suspicious add commands auto-detect these indicator types from the raw value:
- IPv4/IPv6 addresses
- Domain names
- URLs (http:// or https://)
- SHA-256 hashes (64 hex chars)
- SHA-1 hashes (40 hex chars)
- Email addresses
Notes
- All GET operations are read-only and safe to run
suspicious addis a write operation — always confirm the action with the user before running- Results are paginated internally — the
--limitflag controls max results returned - Use
--daysto control the lookback window for time-based queries - For advanced filter syntax, read
{baseDir}/references/filter-examples.md
相关 Skills
安全专家
by alirezarezvani
覆盖威胁建模、漏洞评估、安全架构设计、代码审计与渗透测试,内置 STRIDE、OWASP、加密模式和安全扫描流程,适合系统设计评审与上线前安全排查。
✎ 安全专家把威胁建模、漏洞分析到渗透测试串成一套流程,内置 STRIDE 与 OWASP 指南,做安全设计和排查更省心。
安全运营
by alirezarezvani
覆盖应用安全、漏洞管理与合规审计,支持代码/依赖扫描、CVE 评估、Secrets 检测和安全自动化,适合做安全基线落地、漏洞响应、审计检查与安全开发治理。
✎ 应用安全、漏洞管理和合规检查一套打通,还能自动化扫描与响应,帮团队更早发现并收敛风险。
依赖审计
by alirezarezvani
面向多语言项目做依赖体检,扫描漏洞与 CVE、排查许可证冲突、梳理传递依赖和过时版本,给出安全升级与合规治理建议。
✎ 依赖审计能快速揪出项目依赖中的漏洞与合规风险,把安全扫描和审计合在一起,适合依赖链复杂的团队持续把关。
相关 MCP 服务
by Sentry
搜索和分析 Sentry 错误报告,辅助调试。
✎ 把零散的 Sentry 错误报告变成可检索线索,帮你在海量报错里更快定位线上故障,排障调试明显省时。
by sinewaveai
为 AI agents 提供安全层:拦截 prompt injection、识别伪造 packages,并扫描漏洞风险。
✎ 给 AI Agent 补上关键安全层,能拦截 prompt 注入、识别伪造包并扫描漏洞风险,把防护前置更省心。
by pantheon-security
强化安全性的 NotebookLM MCP,集成 post-quantum encryption,提升数据防护能力。