Table Of Contents


User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . guardduty ]



Create a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.


[--activate | --no-activate]
--detector-id <value>
[--format <value>]
[--location <value>]
[--name <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]


--activate | --no-activate (boolean) A boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.

--detector-id (string) The unique ID of the detector that you want to update.

--format (string) The format of the file that contains the ThreatIntelSet.

Possible values:

  • TXT
  • STIX

--location (string) The URI of the file that contains the ThreatIntelSet. For example (

--name (string) A user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet.

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.


ThreatIntelSetId -> (string)

The unique identifier for an threat intel set