Syntax Properties Return values Examples

AWS::GuardDuty::ThreatIntelSet

The AWS::GuardDuty::ThreatIntelSet resource specifies a new ThreatIntelSet. A ThreatIntelSet consists of known malicious IP addresses. GuardDuty generates findings based on the ThreatIntelSet after it is activated.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::GuardDuty::ThreatIntelSet",
  "Properties" : {
      "Activate" : Boolean,
      "DetectorId" : String,
      "Format" : String,
      "Location" : String,
      "Name" : String,
      "Tags" : [ TagItem, ... ]
    }
}

YAML


Type: AWS::GuardDuty::ThreatIntelSet
Properties:
  Activate: Boolean
  DetectorId: String
  Format: String
  Location: String
  Name: String
  Tags: 
    - TagItem

Properties

Activate

A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.

Required: No

Type: Boolean

Update requires: No interruption

DetectorId

The unique ID of the detector of the GuardDuty account for which you want to create a ThreatIntelSet.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Required: No

Type: String

Minimum: 1

Maximum: 32

Update requires: Replacement

Format

The format of the file that contains the ThreatIntelSet.

Required: Yes

Type: String

Minimum: 1

Maximum: 300

Update requires: Replacement

Location

The URI of the file that contains the ThreatIntelSet.

Required: Yes

Type: String

Minimum: 1

Maximum: 300

Update requires: No interruption

Name

A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.

Required: No

Type: String

Minimum: 1

Maximum: 300

Update requires: No interruption

Tags

The tags to be added to a new threat list resource. Each tag consists of a key and an optional value, both of which you define.

For more information, see Tag.

Required: No

Type: Array of TagItem

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the unique ID of the ThreatIntelSet.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Id: The unique ID of the threatIntelSet.

Examples

Declare a ThreatIntelSet Resource

The following example shows how to declare a GuardDuty ThreatIntelSet resource:

JSON


"mythreatintelset": {
    "Type": "AWS::GuardDuty::ThreatIntelSet",
    "Properties": {
        "Activate": true,
        "DetectorId": "12abc34d567e8f4912ab3d45e67891f2",
        "Format": "TXT",
        "Location": "https://s3-us-west-2.amazonaws.com/amzn-s3-demo-bucket1/mythreatintelset.txt",
        "Name": "MyThreatIntelSet"
    }
}

YAML


mythreatintelset:
    Type: AWS::GuardDuty::ThreatIntelSet
    Properties:
        Activate: true
        DetectorId: "12abc34d567e8f4912ab3d45e67891f2"
        Format: "TXT"
        Location: "https://s3-us-west-2.amazonaws.com/amzn-s3-demo-bucket1/mythreatintelset.txt"
        Name: "MyThreatIntelSet"

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS::GuardDuty::Member

TagItem