[ aws . guardduty ]

create-threat-intel-set

Description

Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  create-threat-intel-set
--detector-id <value>
--name <value>
--format <value>
--location <value>
--activate | --no-activate
[--client-token <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options

--detector-id (string)

The unique ID of the detector of the GuardDuty account that you want to create a threatIntelSet for.

--name (string)

A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.

--format (string)

The format of the file that contains the ThreatIntelSet.

Possible values:

  • TXT

  • STIX

  • OTX_CSV

  • ALIEN_VAULT

  • PROOF_POINT

  • FIRE_EYE

--location (string)

The URI of the file that contains the ThreatIntelSet.

--activate | --no-activate (boolean)

A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.

--client-token (string)

The idempotency token for the create request.

--tags (map)

The tags to be added to a new threat list resource.

key -> (string)

value -> (string)

Shorthand Syntax:

KeyName1=string,KeyName2=string

JSON Syntax:

{"string": "string"
  ...}

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples

To create a new threat intel set in the current region.

This example shows how to upload a threat intel set to GuardDuty and activate it immediately.

aws guardduty create-threat-intel-set \
    --detector-id b6b992d6d2f48e64bc59180bfexample \
    --name myThreatSet \
    --format TXT \
    --location s3://EXAMPLEBUCKET/threatlist.csv \
    --activate

Output:

{
    "ThreatIntelSetId": "20b9a4691aeb33506b808878cexample"
}

For more information, see Trusted IP and threat lists in the GuardDuty User Guide.

Output

ThreatIntelSetId -> (string)

The ID of the ThreatIntelSet resource.