Menu
Amazon GuardDuty
Amazon Guard Duty User Guide

CreateThreatIntelSet

Creates a ThreatIntelSet. A ThreatIntelSet consists of known malicious IP addresses. GuardDuty generates findings based on the ThreatIntelSet.

Important

Users from GuardDuty member accounts cannot run this API. Currently in GuardDuty, users from member accounts CANNOT upload and further manage ThreatIntelSets. ThreatIntelSets that are uploaded by the master account are imposed on GuardDuty functionality in its member accounts. For more information, see Managing AWS Accounts in Amazon GuardDuty.

Request Syntax

POST https://<endpoint>/detector/{detectorId}/threatintelset

Body:

{ "name": "string", "location": "string", "format": "[TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE]", "activate": "boolean" }

Path Parameters

detectorId

The detector ID that specifies the GuardDuty service for which you want to create a ThreatIntelSet.

Type: String

Required: Yes

Request Parameters

The request accepts the following data in JSON format.

name

A friendly ThreatIntelSet name. The name is displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.

Type: String

Required: Yes

format

The format of the file that contains the ThreatIntelSet.

Type: String. Valid values: TXT | STIX | OTX_CSV | ALIEN_VAULT | PROOF_POINT | FIRE_EYE

Note

In your trusted IP lists and threat lists, IP addresses and CIDR ranges must appear one per line.

The following is a sample list in Plaintext format:

54.20.175.217 205.0.0.0/8

For more information, see Working with Trusted IP Lists and Threat Lists

Required: Yes

location

The URI of the file that contains the ThreatIntelSet.

Type: String

Required: Yes

activate

Specifies whether GuardDuty is to start using the created ThreatIntelSet.

Type: Boolean

Required: Yes

Response Syntax

{ "threatIntelSetId": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

threatIntelSetId

The unique ID that specifies the newly created ThreatIntelSet.

Type: String

Errors

If the action is not successful, the service sends back an HTTP error response code along with detailed error information.

InvalidInputException

The request is rejected. An invalid or out-of-range value is specified as an input parameter.

HTTP Status Code: 400

InvalidInputException

The request is rejected. The required query or path parameters are not specified.

HTTP Status Code: 400

InvalidInputException

The request is rejected. One or more input parameters have invalid values.

HTTP Status Code: 400

InvalidInputException

The request is rejected. The parameter name has an invalid value.

HTTP Status Code: 400

InvalidInputException

The request is rejected. The parameter location has an invalid value.

HTTP Status Code: 400

InvalidInputException

The request is rejected. The parameter format has an invalid value.

HTTP Status Code: 400

InvalidInputException

The request is rejected. The parameter detectorId has an invalid value.

HTTP Status Code: 400

NoSuchEntityException

The request is rejected. The input detectorId is not owned by the current account.

HTTP Status Code: 400

AccessDeniedException

The request is rejected. The caller is not authorized to call this API.

HTTP Status Code: 400

NoSuchEntityException

The request is rejected. No role was found.

HTTP Status Code: 400

InvalidInputException

The request is rejected. Member accounts cannot manage IPSets or ThreatIntelSets.

HTTP Status Code: 400

BadRequestException

The request is rejected. The service can't assume the service role.

HTTP Status Code: 400

AccessDeniedException

The request is rejected. You do not have the required iam:PutRolePolicy permission.

HTTP Status Code: 400

BadRequestException

The request is rejected. The specified service role is not a service-linked role.

HTTP Status Code: 400

InternalException

Internal server error.

HTTP Status Code: 500

Example

Sample Request

POST /detector/12abc34d567e8fa901bc2d34e56789f0/threatintelset HTTP/1.1 Host: guardduty.us-west-2.amazonaws.com Accept-Encoding: identity Content-Length: 142 Authorization: AUTHPARAMS X-Amz-Date: 20180124T194824Z User-Agent: aws-cli/1.14.29 Python/2.7.9 Windows/8 botocore/1.8.33 { "format":"TXT", "activate":true, "location":"https://s3.amazonaws.com/guarddutylists/threatintelset.txt", "name":"ThreatIntelSet" }

Sample Response

HTTP/1.1 200 OK Content-Type: application/json Content-Length: 55 Date: Wed, 24 Jan 2018 19:48:36 GMT x-amzn-RequestId: 8af4b349-013f-11e8-8f6b-e37a19b6d996 X-Amzn-Trace-Id: sampled=0;root=1-5a68e30a-ffc9e16710a559d971138391 X-Cache: Miss from cloudfront Via: 1.1 7f3f42df8af148df1f9f1ee7175987ad.cloudfront.net (CloudFront) X-Amz-Cf-Id: KPy-b4jZhTp_ahwtcYga-g7K_Urr1QFGL3lIEnZSR6KpfAQ1vxTE3A== Connection: Keep-alive { "threatIntelSetId":"8cb094db7082fd0db09479755d215dba" }