Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
create-threat-intel-set
--detector-id <value>
--name <value>
--format <value>
--location <value>
--activate | --no-activate
[--client-token <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--detector-id
(string)
The unique ID of the detector of the GuardDuty account that you want to create a threatIntelSet for.
--name
(string)
A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
--format
(string)
The format of the file that contains the ThreatIntelSet.
Possible values:
TXT
STIX
OTX_CSV
ALIEN_VAULT
PROOF_POINT
FIRE_EYE
--location
(string)
The URI of the file that contains the ThreatIntelSet. For example: https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key.
--activate
| --no-activate
(boolean)
A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.
--client-token
(string)
The idempotency token for the create request.
--tags
(map)
The tags to be added to a new threat list resource.
key -> (string)
value -> (string)
Shorthand Syntax:
KeyName1=string,KeyName2=string
JSON Syntax:
{"string": "string"
...}
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
To create a new threat intel set in the current region.
This example shows how to upload a threat intel set to GuardDuty and activate it immediately.
aws guardduty create-threat-intel-set \
--detector-id b6b992d6d2f48e64bc59180bfexample \
--name myThreatSet \
--format TXT \
--location s3://EXAMPLEBUCKET/threatlist.csv \
--activate
Output:
{
"ThreatIntelSetId": "20b9a4691aeb33506b808878cexample"
}
For more information, see Trusted IP and threat lists in the GuardDuty User Guide.