Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS::GuardDuty::ThreatIntelSet

The AWS::GuardDuty::ThreatIntelSet resource creates a ThreatIntelSet. A ThreatIntelSet consists of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

Copy
{ "Type" : "AWS::GuardDuty::ThreatIntelSet", "Properties" : { "Activate" : Boolean, "DetectorId" : String, "Format" : String, "Location" : String, "Name" : String } }

YAML

Copy
Type: "AWS::GuardDuty::ThreatIntelSet" Properties: Activate: Boolean DetectorId: String Format: String Location: String Name: String

Properties

Activate

A Boolean value that indicates whether GuardDuty should start using the uploaded ThreatIntelSet.

Required: Yes

Type: Boolean

Update requires: No interruption

DetectorId

The detector ID that specifies the GuardDuty service for which an ThreatIntelSet is to be created.

Required: Yes

Type: String

Update requires: Replacement

Format

The format of the file that contains the ThreatIntelSet. Valid values are TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, and FIRE_EYE.

Required: Yes

Type: String

Update requires: Replacement

Location

The URI of the file that contains the ThreatIntelSet.

Required: Yes

Type: String

Update requires: No interruption

Name

A friendly ThreatIntelSet name that is displayed in all findings generated by activity that involves IP addresses included in this ThreatIntelSet.

Required: No

Type: String

Update requires: No interruption

Return Values

Ref

When you pass the logical ID of an AWS::GuardDuty::ThreatIntelSet resource to the intrinsic Ref function, the function returns the unique ID of the created threatIntelSet.

For more information about using the Ref function, see Ref.

Examples

Declaring a GuardDuty ThreatIntelSet resource

The following example shows how to declare an AWS::GuardDuty::ThreatIntelSet resource to create a GuardDuty ThreatIntelSet.

JSON

Copy
"mythreatintelset": { "Type": "AWS::GuardDuty::ThreatIntelSet", "Properties": { "Activate": true, "DetectorId": "12abc34d567e8f4912ab3d45e67891f2", "Format": "TXT", "Location": "https://s3-us-west-2.amazonaws.com/mybucket/mythreatintelset.txt", "Name": "MyThreatIntelSet" } }

YAML

Copy
mythreatintelset: Type: "AWS::GuardDuty::ThreatIntelSet" Properties: Activate: true DetectorId: "12abc34d567e8f4912ab3d45e67891f2" Format: "TXT" Location: "https://s3-us-west-2.amazonaws.com/mybucket/mythreatintelset.txt" Name: "MyThreatIntelSet"