# Customizing threat detection with entity lists and IP address lists
Entity lists and IP address lists
Amazon GuardDuty monitors the security of your AWS environment by analyzing and processing VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. By enabling one or more [Use-case focused GuardDuty protection plans](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html#features-of-guardduty) (except [Runtime Monitoring](runtime-monitoring.md), you can expand the monitoring capabilities within GuardDuty.
With lists, GuardDuty helps you customize the scope of threat detection in your environment. You can configure GuardDuty to stop generating findings from your trusted sources and generate findings for known malicious sources from your threat lists. GuardDuty continues to support legacy IP address lists and extends support to entity lists (recommended) that can contain IP addresses, domains, or both.
**Topics**
+ [
## Understanding entity lists and IP address lists
](#guardduty-threat-intel-list-entity-sets)
+ [
## Important considerations for GuardDuty lists
](#guardduty-lists-entity-sets-considerations)
+ [
## List formats
](#prepare_list)
+ [
## Understanding list statuses
](#guardduty-entity-list-statuses)
+ [
# Setting up prerequisites for entity lists and IP address lists
](guardduty-lists-prerequisites.md)
+ [
# Adding and activating an entity list or IP list
](guardduty-lists-create-activate.md)
+ [
# Updating an entity list or IP address list
](guardduty-lists-update-procedure.md)
+ [
# De-activating entity list or IP address list
](guardduty-lists-deactivate-procedure.md)
+ [
# Deleting entity list or IP address list
](guardduty-lists-delete-procedure.md)
## Understanding entity lists and IP address lists
GuardDuty offers two implementation approaches: entity lists (recommended) and IP lists. Both approaches help you specify trusted sources, which stop GuardDuty from generate findings and known threats, which GuardDuty uses to generate findings.
**Entity lists** support both IP addresses and domain names. They use direct Amazon Simple Storage Service (Amazon S3) access with a single IAM permission that doesn't impact IAM policy size limits across multiple Regions.
**IP lists** support only IP addresses and use [GuardDuty service-linked role (SLR)](slr-permissions.md) (SLR), requiring IAM policy updates per Region, which may impact IAM policy size limits.
Trusted lists (both entity lists and IP address lists) include entries that you trust for secure communication with your AWS infrastructure. GuardDuty does not generate findings for entries listed in trusted sources. At any given time, you can add only one trusted entity list and one trusted IP address list per AWS account per Region.
Threat lists (both entity lists and IP address lists) include entries that you have identified as known malicious sources. When GuardDuty detects an activity involving these sources, it generates findings to alert you of potential security issues. You can create your own threat lists or incorporate third-party threat intelligence feeds. This list can be supplied by third-party threat intelligence or created specifically for your organization. In addition to generating findings because of a potentially suspicious activity, GuardDuty also generates findings based on an activity that involves entries from your threat lists. At any given time, you can upload up to six threat entity lists and threat IP address lists per AWS account per Region.
**Note**
To migrate from IP address lists to entity lists, follow [Prerequisites for entity lists](guardduty-lists-prerequisites.md#guardduty-entity-list-prerequisites), then add and activate the required entity list. After this, you can choose to deactivate or delete the corresponding IP address list.
## Important considerations for GuardDuty lists
Before you begin working with lists, read the following considerations:
+ IP address lists and entity lists apply only to traffic destined for publicly routable IP addresses and domains.
+ In an entity list, the entries apply to CloudTrail, VPC Flow Logs in Amazon VPC, and Route53 Resolver DNS query logs findings.
In an IP address list, the entries apply to CloudTrail and VPC Flow Logs in Amazon VPC findings, but not to Route53 Resolver DNS query logs findings.
+ If you include the same IP address or domain in both trusted and threat lists, then this entry in the trusted list will take precedence. GuardDuty will not generate a finding if there is an activity associated with this entry.
+ In a multi-account environment, only the GuardDuty administrator account can manage lists. This setting automatically applies to the member accounts. GuardDuty generates findings based on an activity that involves known malicious IP addresses (and domains) from the administrator account's threat sources, and doesn't generate findings based on activity that involves IP addresses (and domains) from the administrator account's trusted sources. For more information, see [Multiple accounts in Amazon GuardDuty](guardduty_accounts.md).
+ Only IPv4 addresses are accepted. IPv6 addresses are not supported.
+ After you activate, deactivate, or delete an entity list or IP address list, the process is estimated to complete within 15 minutes. In certain scenarios, it may take up to 40 minutes for this process to complete.
+ GuardDuty uses a list for threat detection only when the status of the list becomes **Active**.
+ Whenever you add or update an entry in the list's S3 bucket location, you must activate the list again. For more information, see [Updating an entity list or IP address list](guardduty-lists-update-procedure.md).
+ Entity lists and IP addresses have different quotas. For more information, see [GuardDuty quotas](guardduty_limits.md).
## List formats
GuardDuty accepts multiple file formats for your lists and entity lists, with a maximum of 35 MB per file. Each format has specific requirements and capabilities.
### Plaintext (TXT)
This format supports IP addresses, CIDR ranges, and domain names. Each entry must appear on a separate line.
****Example for entity list****
```
192.0.2.1
192.0.2.0/24
example.com
example.org
*.example.org
```
****Example for IP address list****
```
192.0.2.0/24
198.51.100.1
203.0.113.1
```
### Structured Threat Information Expression (STIX)
This format supports IP addresses, CIDR block, and domain names. STIX allows you to include additional context with your threat intelligence. GuardDuty processes IP addresses, CIDR ranges, and domain names from the STIX indicators.
****Example for an entity list****
```
Malicious domain observed Example
Domain Watchlist
bad.example.com
```
****Example for an IP address list****
```
192.0.2.0##comma##192.0.2.255
198.51.100.1
203.0.113.1
```
### Open Threat Exchange (OTX)TM CSV
This format supports CIDR block, individual IP addresses, and domains. This file format has comma-separated values.
****Example for entity list****
```
Indicator type, Indicator, Description
CIDR, 192.0.2.0/24, example
IPv4, 198.51.100.1, example
IPv4, 203.0.113.1, example
Domain name, example.net, example
```
****Example for IP address list****
```
Indicator type, Indicator, Description
CIDR, 192.0.2.0/24, example
IPv4, 198.51.100.1, example
IPv4, 203.0.113.1, example
```
### FireEyeTM iSIGHT Threat Intelligence CSV
This format supports CIDR block, individual IP addresses, and domains. The following sample lists uses a `FireEyeTM` CSV format.
****Example for entity list****
```
reportId, title, threatScape, audience, intelligenceType, publishDate, reportLink, webLink, emailIdentifier, senderAddress, senderName, sourceDomain, sourceIp, subject, recipient, emailLanguage, fileName, fileSize, fuzzyHash, fileIdentifier, md5, sha1, sha256, description, fileType, packer, userAgent, registry, fileCompilationDateTime, filePath, asn, cidr, domain, domainTimeOfLookup, networkIdentifier, ip, port, protocol, registrantEmail, registrantName, networkType, url, malwareFamily, malwareFamilyId, actor, actorId, observationTime
01-00000001, Example, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000001, https://www.example.com/report/01-00000001, , , , , , , , , , , , , , , , , , , , , , , , 192.0.2.0/24, , , Related, , , , , , network, , Ursnif, 21a14673-0d94-46d3-89ab-8281a0466099, , , 1494944400
01-00000002, Example, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000002, https://www.example.com/report/01-00000002, , , , , , , , , , , , , , , , , , , , , , , , , , , Related, 198.51.100.1, , , , , network, , Ursnif, 12ab7bc4-62ed-49fa-99e3-14b92afc41bf, , ,1494944400
01-00000003, Example, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000003, https://www.example.com/report/01-00000003, , , , , , , , , , , , , , , , , , , , , , , , , , , Related, 203.0.113.1, , , , , network, , Ursnif, 8a78c3db-7bcb-40bc-a080-75bd35a2572d, , , 1494944400
01-00000002, Malicious domain observed in test, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000002,https://www.example.com/report/01-00000002,,,,,,,,,,,,,,,,,,,,,,,, 203.0.113.0/24, example.com,, Related, 203.0.113.0, 8080, UDP,,, network,, Ursnif, fc13984c-c767-40c9-8329-f4c59557f73b,,, 1494944400
```
****Example for IP address list****
```
reportId, title, threatScape, audience, intelligenceType, publishDate, reportLink, webLink, emailIdentifier, senderAddress, senderName, sourceDomain, sourceIp, subject, recipient, emailLanguage, fileName, fileSize, fuzzyHash, fileIdentifier, md5, sha1, sha256, description, fileType, packer, userAgent, registry, fileCompilationDateTime, filePath, asn, cidr, domain, domainTimeOfLookup, networkIdentifier, ip, port, protocol, registrantEmail, registrantName, networkType, url, malwareFamily, malwareFamilyId, actor, actorId, observationTime
01-00000001, Example, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000001, https://www.example.com/report/01-00000001, , , , , , , , , , , , , , , , , , , , , , , , 192.0.2.0/24, , , Related, , , , , , network, , Ursnif, 21a14673-0d94-46d3-89ab-8281a0466099, , , 1494944400
01-00000002, Example, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000002, https://www.example.com/report/01-00000002, , , , , , , , , , , , , , , , , , , , , , , , , , , Related, 198.51.100.1, , , , , network, , Ursnif, 12ab7bc4-62ed-49fa-99e3-14b92afc41bf, , ,1494944400
01-00000003, Example, Test, Operational, threat, 1494944400, https://www.example.com/report/01-00000003, https://www.example.com/report/01-00000003, , , , , , , , , , , , , , , , , , , , , , , , , , , Related, 203.0.113.1, , , , , network, , Ursnif, 8a78c3db-7bcb-40bc-a080-75bd35a2572d, , , 1494944400
```
### ProofpointTM ET Intelligence Feed CSV
In ProofPoint CSV format, you can add IP either addresses or domain names in a one list. The following sample list uses the `Proofpoint` CSV format. Providing value for the `ports` parameter is optional. When you don't provide it, leave a trailing comma (,) at the end.
****Example for entity list****
```
domain, category, score, first_seen, last_seen, ports (|)
198.51.100.1, 1, 100, 2000-01-01, 2000-01-01,
203.0.113.1, 1, 100, 2000-01-01, 2000-01-01, 80
```
****Example for IP address list****
```
ip, category, score, first_seen, last_seen, ports (|)
198.51.100.1, 1, 100, 2000-01-01, 2000-01-01,
203.0.113.1, 1, 100, 2000-01-01, 2000-01-01, 80
```
### AlienVaultTM Reputation Feed
The following sample list uses the `AlienVault` format.
****Example for entity list****
```
192.0.2.1#4#2#Malicious Host#KR##37.5111999512,126.974098206#3
192.0.2.2#4#2#Scanning Host#IN#Gurgaon#28.4666996002,77.0333023071#3
192.0.2.3#4#2##CN#Guangzhou#23.1166992188,113.25#3
www.test.org#4#2#Malicious Host#CA#Brossard#45.4673995972,-73.4832000732#3
www.example.com#4#2#Malicious Host#PL##52.2393989563,21.0361995697#3
```
****Example for IP address list****
```
198.51.100.1#4#2#Malicious Host#US##0.0,0.0#3
203.0.113.1#4#2#Malicious Host#US##0.0,0.0#3
```
## Understanding list statuses
When you add an entity list or an IP address list, GuardDuty shows the status of that list. The **Status** column indicates whether the list is effective and if any action is required. The following list describes valid status values:
+ **Active** – Indicates the list is currently in use for custom threat detection.
+ **Inactive** – Indicates that the list is currently not in use. For GuardDuty to use this list for threat detection in your environment, see Step 3: Activating an entity list or IP address list in [Adding and activating an entity list or IP list](guardduty-lists-create-activate.md).
+ **Error** – Indicates that there is an issue with the list. Hover over the status to view the error details.
+ **Activating** – Indicates that GuardDuty has initiated the process of activating the list. You can continue monitoring the status for this list. If there is no error, the status should update to **Active**. While the status remains **Activating**, you can't perform any action on this list. It might take a few minutes for the list status to change to **Active**.
+ **Deactivating** – Indicates that GuardDuty has initiated the process of deactivating the list. You can continue monitoring the status for this list. If there is no error, the status should update to **Inactive**. While the status remains **Deactivating**, you can't perform any action on this list.
+ **Delete Pending** – Indicates that the list is in the process of being deleted. While the status remains **Delete Pending**, you can't perform any action on this list.
# Setting up prerequisites for entity lists and IP address lists
GuardDuty uses entity lists and IP address lists to customize threat detection in your AWS environment. Entity lists (recommended) support both IP addresses and domain names, while IP address lists support only IP addresses. Before you begin creating these lists, you must add the required permissions for the type of list that you want to use.
## Prerequisites for entity lists
When you add entity lists, GuardDuty reads your trusted and threat intelligence lists from S3 buckets. The role you use to create entity lists must have the `s3:GetObject` permission for the S3 buckets contains these lists.
**Note**
In a multi-account environment, only the GuardDuty administrator account can manage lists, which automatically apply to member accounts.
If you don't already have the `s3:GetObject` permission for the S3 bucket location, then use the following example policy and replace *amzn-s3-demo-bucket* with your S3 bucket location.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/[object-key]"
}
]
}
```
------
## Prerequisites for IP address lists
Various IAM identities require special permissions to work with trusted IP lists and threat lists in GuardDuty. An identity with the attached [AmazonGuardDutyFullAccess\$1v2 (recommended)](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2) managed policy can only rename and deactivate uploaded trusted IP lists and threat lists.
To grant various identities full access to working with trusted IP lists and threat lists (in addition to renaming and deactivating, this includes adding, activating, deleting, and updating the location or name of the lists), make sure that the following actions are present in the permissions policy attached to a user, group, or role:
```
{
"Effect": "Allow",
"Action": [
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::555555555555:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty"
}
```
**Important**
These actions are not included in the `AmazonGuardDutyFullAccess` managed policy.
### Using SSE-KMS encryption with entity lists and IP lists
GuardDuty supports SSE-AES256 and SSE-KMS encryption for your lists. SSE-C is not supported. For more information about encryption types for S3, see [Protecting data using server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html).
Regardless of whether you use entity lists or IP lists, if you use SSE-KMS, then add the following statement to your AWS KMS key policy. Replace *123456789012* with your own account ID.
```
{
"Sid": "AllowGuardDutyServiceRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty"
},
"Action": "kms:Decrypt*",
"Resource": "*"
}
```
# Adding and activating an entity list or IP list
Entity lists and IP address lists help you customize the threat detection capabilities in GuardDuty. For more information about these lists, see [Understanding entity lists and IP address lists](guardduty_upload-lists.md#guardduty-threat-intel-list-entity-sets). To manage the trusted and threat intelligence data for your AWS environment, GuardDuty recommends using entity lists. Before you begin, see [Setting up prerequisites for entity lists and IP address lists](guardduty-lists-prerequisites.md).
Choose one of the following access methods to add and activate a trusted entity list, threat entity list, trusted IP list, or a threat IP list.
------
#### [ Console ]
**(Optional) step 1: Fetching location URL of your list**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. In the navigation pane, choose **Buckets**.
1. Choose the Amazon S3 bucket name that contains the specific list that you want to add.
1. Choose the object (list) name to view its details.
1. Under the **Properties** tab, copy the **S3 URI** for this object.
**Step 2: Adding trusted or threat intelligence data**
1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).
1. In the navigation pane, choose **Lists**.
1. On the **Lists** page, choose **Entity lists** or **IP address lists** tab.
1. Based on your selected tab, choose to add a trusted list or a threat list.
1. In the dialog box to add either trusted or threat list, do the following steps:
1. For **List name**, enter a name for your list.
**List naming constraints** – The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (\$1).
For an IP address list, the name of your list must be unique within an AWS account and Region.
1. For **Location**, provide the location where you have uploaded your list. If you don't already have it, see [Step 1: Fetching location URL of your list](#fetch-location-URL-list-manage).
Applies only to custom threat and custom trusted entity sets – If you provide a location URL that doesn't match the following supported formats, then you will receive an error message during list addition and activation.
**Format of location URL:**
+ https://s3.amazonaws.com/bucket.name/file.txt
+ https://s3-aws-region.amazonaws.com/bucket.name/file.txt
+ http://bucket.s3.amazonaws.com/file.txt
+ http://bucket.s3-aws-region.amazonaws.com/file.txt
+ s3://bucket.name/file.txt
1. (Optional) For **Expected bucket owner**, you can enter the AWS account ID that owns the Amazon S3 bucket specified in the **Location** field.
When you don't specify an AWS account ID owner, then GuardDuty behaves differently for entity lists and IP address lists. For entity lists, GuardDuty will validate that the current member account owns the S3 bucket specified in the **Location** field. For IP address lists, if you don't specify an AWS account ID owner, GuardDuty doesn't perform any validation.
If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating the list.
1. Select the **I agree** check box.
1. Choose **Add list**. By default, the **Status** of the added list is **Inactive**. For the list to be effective, you must activate the list.
**Step 3: Activating an entity list or IP address list**
1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).
1. In the navigation pane, choose **Lists**.
1. On the **Lists** page, select the tab in which you want to activate the list - **Entity lists** or **IP address lists**.
1. Select one list that you want to activate. This will enable the **Action** and **Edit** menu.
1. Choose **Action**, and then choose **Activate**.
------
#### [ API/CLI ]
**To add and activate a trusted entity list**
1. Run [CreateTrustedEntitySet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateTrustedEntitySet.html). Make sure to provide the `detectorId` of the member account for which you want to create this trusted entity list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
**List naming constraints** – The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (\$1).
1. Alternatively, you can do this by running the following AWS Command Line Interface command:
```
aws guardduty create-trusted-entity-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--name "AnyOrganization ListEXAMPLE" \
--format TXT \
--location "https://s3.amazonaws.com/amzn-s3-demo-bucket/DOC-EXAMPLE-SOURCE-FILE.format" \
--activate
```
Replace `detector-id` with the detector ID of the member account for which you will create the trusted entity list, and other placeholder values that are *shown in red*.
If you don't want to activate this newly created list, then replace the parameter `--activate` with `--no-activate`.
The `expected-bucket-owner` parameter is optional. Whether or not you specify the value for this parameter, GuardDuty validates that the AWS account ID associated with this `--detector-id` value owns the S3 bucket specified in the `--location` parameter. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list.
Applies only to custom threat and custom trusted entity sets – If you provide a location URL that doesn't match the following supported formats, then you will receive an error message during list addition and activation.
**To add and activate threat entity lists**
1. Run [CreateThreatEntitySet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateThreatEntitySet.html). Make sure to provide the `detectorId` of the member account for which you want to create this threat entity list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
**List naming constraints** – The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (\$1).
1. Alternatively, you can do this by running the following AWS Command Line Interface command:
```
aws guardduty create-threat-entity-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--name "AnyOrganization ListEXAMPLE" \
--format TXT \
--location "https://s3.amazonaws.com/amzn-s3-demo-bucket/DOC-EXAMPLE-SOURCE-FILE.format" \
--activate
```
Replace `detector-id` with the detector ID of the member account for which you will create the trusted entity list, and other placeholder values that are *shown in red*.
If you don't want to activate this newly created list, then replace the parameter `--activate` with `--no-activate`.
The `expected-bucket-owner` parameter is optional. Whether or not you specify the value for this parameter, GuardDuty validates that the AWS account ID associated with this `--detector-id` value owns the S3 bucket specified in the `--location` parameter. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list.
Applies only to custom threat and custom trusted entity sets – If you provide a location URL that doesn't match the following supported formats, then you will receive an error message during list addition and activation.
**To add and activate a trusted IP address list**
1. Run [CreateIPSet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateIPSet.html). Make sure to provide the `detectorId` of the member account for which you want to create this trusted IP address list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
For an IP address list, the name of your list must be unique within an AWS account and Region.
**List naming constraints** – The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (\$1).
1. Alternatively, you can do this by running the following AWS Command Line Interface command and make sure to replace the `detector-id` with the detector ID of the member account for which you will update the trusted IP address list.
```
aws guardduty create-ip-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--name "AnyOrganization ListEXAMPLE" \
--format TXT \
--location "https://s3.amazonaws.com/amzn-s3-demo-bucket/DOC-EXAMPLE-SOURCE-FILE.format" \
--activate
```
Replace `detector-id` with the detector ID of the member account for which you will create the trusted IP list, and other placeholder values that are *shown in red*.
If you don't want to activate this newly created list, then replace the parameter `--activate` with `--no-activate`.
The `expected-bucket-owner` parameter is optional. When you don't specify the account ID that owns the S3 bucket, GuardDuty doesn't perform any validation. When you specify the account ID for the `expected-bucket-owner` parameter, GuardDuty validates that this AWS account ID owns the S3 bucket specified in the `--location` parameter. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list.
**To add and activate threat IP lists**
1. Run [CreateThreatIntelSet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateThreatIntelSet.html). Make sure to provide the `detectorId` of the member account for which you want to create this threat IP address list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
**List naming constraints** – The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (\$1).
For an IP address list, the name of your list must be unique within an AWS account and Region.
1. Alternatively, you can do this by running the following AWS Command Line Interface command and make sure to replace the `detector-id` with the detector ID of the member account for which you will update the threat IP list.
```
aws guardduty create-threat-intel-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--name "AnyOrganization ListEXAMPLE" \
--format TXT \
--location "https://s3.amazonaws.com/amzn-s3-demo-bucket/DOC-EXAMPLE-SOURCE-FILE.format" \
--activate
```
Replace `detector-id` with the detector ID of the member account for which you will create the threat IP list, and other placeholder values that are *shown in red*.
If you don't want to activate this newly created list, then replace the parameter `--activate` with `--no-activate`.
The `expected-bucket-owner` parameter is optional. When you don't specify the account ID that owns the S3 bucket, GuardDuty doesn't perform any validation. When you specify the account ID for the `expected-bucket-owner` parameter, GuardDuty validates that this AWS account ID owns the S3 bucket specified in the `--location` parameter. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list.
------
After you activate an entity list or IP address list, it might take a few minutes for this list to be effective. For more information, see [Important considerations for GuardDuty lists](guardduty_upload-lists.md#guardduty-lists-entity-sets-considerations).
# Updating an entity list or IP address list
Entity lists and IP address lists help you customize the threat detection capabilities in GuardDuty. For more information about these lists, see [Understanding entity lists and IP address lists](guardduty_upload-lists.md#guardduty-threat-intel-list-entity-sets).
You can update the name of a list, S3 bucket location, expected bucket owner account ID, and the entries in an existing list. If you update the entries in a list, you must follow the steps to activate the list again for GuardDuty to use the latest version of the list. After you update or activate an entity list or IP address list, it might take a few minutes for this list to be effective. For more information, see [Important considerations for GuardDuty lists](guardduty_upload-lists.md#guardduty-lists-entity-sets-considerations).
**Note**
If the status of a list is **Activating**, **Deactivating**, or **Delete Pending**, you must wait for a few minutes before performing any action. For information about these statuses, see [Understanding list statuses](guardduty_upload-lists.md#guardduty-entity-list-statuses).
Choose one of the access methods to update an entity list or IP address list.
------
#### [ Console ]
1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).
1. In the navigation pane, choose **Lists**.
1. On the **Lists** page, select the appropriate tab - **Entity lists** or **IP address lists**.
1. Select one list (trusted or threat) that you want to update. This will enable the **Action** and **Edit** menu.
1. Choose **Edit**.
1. In the dialog box to update the list, specify the details that you want to update.
**List naming constraints** – The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (\$1).
For an IP address list, the name of your list must be unique within an AWS account and Region.
Applies only to custom threat and custom trusted entity sets – If you provide a location URL that doesn't match the following supported formats, then you will receive an error message during list addition and activation.
1. (Optional) For **Expected bucket owner**, you can enter the AWS account ID that owns the Amazon S3 bucket specified in the **Location** field.
When you don't specify an AWS account ID owner, then GuardDuty behaves differently for entity lists and IP address lists. For entity lists, GuardDuty will validate that the current member account owns the S3 bucket specified in the **Location** field. For IP address lists, if you don't specify an AWS account ID owner, GuardDuty doesn't perform any validation.
If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating the list.
1. Select the **I agree** check box, and then choose **Update list**.
------
#### [ API/CLI ]
To begin with the following procedures, you need the ID, such as `trustedEntitySetId`, `threatEntitySetId`, `trustedIpSet`, or `threatIpSet`, that is associated with the list resource you want to update.
**To update and activate a trusted entity list**
1. Run [UpdateTrustedEntitySet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateTrustedEntitySet.html). Make sure to provide the `detectorId` of the member account for which you want to update this trusted entity list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
**List naming constraints** – The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (\$1).
1. Alternatively, you can do this by running the following AWS Command Line Interface command that updates the `name` of the list and also activates this list:
```
aws guardduty update-trusted-entity-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--name "AnyOrganization ListEXAMPLE" \
--trusted-entity-set-id d4b94fc952d6912b8f3060768example \
--activate
```
Replace `detector-id` with the detector ID of the member account for which you will create the trusted entity list, and other placeholder values that are *shown in red*.
If you don't want to activate this newly created list, then replace the parameter `--activate` with `--no-activate`.
The `expected-bucket-owner` parameter is optional. Whether or not you specify the value for this parameter, GuardDuty validates that the AWS account ID associated with this `--detector-id` value owns the S3 bucket specified in the `--location` parameter. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list.
Applies only to custom threat and custom trusted entity sets – If you provide a location URL that doesn't match the following supported formats, then you will receive an error message during list addition and activation.
**To update and activate a threat entity list**
1. Run [UpdateThreatEntitySet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateThreatEntitySet.html). Make sure to provide the `detectorId` of the member account for which you want to create this threat entity list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
**List naming constraints** – The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (\$1).
1. Alternatively, you can do this by running the following AWS Command Line Interface command that updates the `name` of the list and also activates this list:
```
aws guardduty update-threat-entity-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--name "AnyOrganization ListEXAMPLE" \
--threat-entity-set-id d4b94fc952d6912b8f3060768example \
--activate
```
Replace `detector-id` with the detector ID of the member account for which you will create the threat entity list, and other placeholder values that are *shown in red*.
If you don't want to activate this newly created list, then replace the parameter `--activate` with `--no-activate`.
The `expected-bucket-owner` parameter is optional. Whether or not you specify the value for this parameter, GuardDuty validates that the AWS account ID associated with this `--detector-id` value owns the S3 bucket specified in the `--location` parameter. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list.
Applies only to custom threat and custom trusted entity sets – If you provide a location URL that doesn't match the following supported formats, then you will receive an error message during list addition and activation.
**To update and activate a trusted IP address list**
1. Run [CreateIPSet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateIPSet.html). Make sure to provide the `detectorId` of the member account for which you want to update this trusted IP address list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
**List naming constraints** – The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (\$1).
For an IP address list, the name of your list must be unique within an AWS account and Region.
1. Alternatively, you can do this by running the following AWS Command Line Interface command that also activates the list:
```
aws guardduty update-ip-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--name "AnyOrganization ListEXAMPLE" \
--ip-set-id d4b94fc952d6912b8f3060768example \
--activate
```
Replace `detector-id` with the detector ID of the member account for which you will update the trusted IP list, and other placeholder values that are *shown in red*.
If you don't want to activate this newly created list, then replace the parameter `--activate` with `--no-activate`.
The `expected-bucket-owner` parameter is optional. When you don't specify the account ID that owns the S3 bucket, GuardDuty doesn't perform any validation. When you specify the account ID for the `expected-bucket-owner` parameter, GuardDuty validates that this AWS account ID owns the S3 bucket specified in the `--location` parameter. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list.
**To add and activate threat IP lists**
1. Run [CreateThreatIntelSet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateThreatIntelSet.html). Make sure to provide the `detectorId` of the member account for which you want to create this threat IP address list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
**List naming constraints** – The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (\$1).
For an IP address list, the name of your list must be unique within an AWS account and Region.
1. Alternatively, you can do this by running the following AWS Command Line Interface command that also activates the list:
```
aws guardduty update-threat-intel-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--name "AnyOrganization ListEXAMPLE" \
--threat-intel-set-id d4b94fc952d6912b8f3060768example \
--activate
```
Replace `detector-id` with the detector ID of the member account for which you will update the threat IP list, and other placeholder values that are *shown in red*.
If you don't want to activate this newly created list, then replace the parameter `--activate` with `--no-activate`.
The `expected-bucket-owner` parameter is optional. When you don't specify the account ID that owns the S3 bucket, GuardDuty doesn't perform any validation. When you specify the account ID for the `expected-bucket-owner` parameter, GuardDuty validates that this AWS account ID owns the S3 bucket specified in the `--location` parameter. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list.
------
# De-activating entity list or IP address list
When you no longer want GuardDuty to use a list, you can deactivate it. It might take a few minutes for the process to complete. For more information, see [Important considerations for GuardDuty lists](guardduty_upload-lists.md#guardduty-lists-entity-sets-considerations). After the list gets deactivated, the entries in the entity list or IP address list will not impact threat detection in GuardDuty.
Choose one of the access methods to deactivate the list.
------
#### [ Console ]
**To deactivate entity list or IP address list**
1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).
1. In the navigation pane, choose **Lists**.
1. On the **List** page, select the tab in which you want to deactivate the list - **Entity lists** or **IP address list**.
1. In the selected tab, select the list that you want to deactivate.
1. Choose **Actions**, and then choose **Deactivate**.
1. Confirm the action and choose **Deactivate**.
------
#### [ API/CLI ]
To begin with the following procedures, you need the ID, such as `trustedEntitySetId`, `threatEntitySetId`, `trustedIpSet`, or `threatIpSet`, that is associated with the list resource you want to deactivate.
**To deactivate a trusted entity list**
1. Run [UpdateTrustedEntitySet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateTrustedEntitySet.html). Make sure to provide the `detectorId` of the member account for which you want to deactivate this trusted entity list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
1. Alternatively, you can do this by running the following AWS Command Line Interface command:
```
aws guardduty update-trusted-entity-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--trusted-entity-set-id d4b94fc952d6912b8f3060768example \
--no-activate
```
Replace `detector-id` with the detector ID of the member account for which you will deactivate the trusted entity list, and other placeholder values that are *shown in red*.
**To deactivate threat entity lists**
1. Run [UpdateThreatEntitySet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateThreatEntitySet.html). Make sure to provide the `detectorId` of the member account for which you want to deactivate this threat entity list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
1. Alternatively, you can do this by running the following AWS Command Line Interface command:
```
aws guardduty update-threat-entity-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--threat-entity-set-id d4b94fc952d6912b8f3060768example \
--no-activate
```
Replace `detector-id` with the detector ID of the member account for which you will create the threat entity list, and other placeholder values that are *shown in red*.
**To deactivate a trusted IP address list**
1. Run [UpdateIPSet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateIPSet.html). Make sure to provide the `detectorId` of the member account for which you want to deactivate this trusted IP address list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
1. Alternatively, you can do this by running the following AWS Command Line Interface command and make sure to replace the `detector-id` with the detector ID of the member account for which you will deactivate the trusted IP address list.
```
aws guardduty update-ip-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--ip-set-id d4b94fc952d6912b8f3060768example \
--no-activate
```
**To deactivate threat IP list**
1. Run [UpdateThreatIntelSet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateThreatIntelSet.html). Make sure to provide the `detectorId` of the member account for which you want to deactivate this threat IP address list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
1. Alternatively, you can do this by running the following AWS Command Line Interface command and make sure to replace the `detector-id` with the detector ID of the member account for which you will deactivate the threat IP list.
```
aws guardduty update-threat-intel-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--threat-intel-set-id d4b94fc952d6912b8f3060768example \
--no-activate
```
------
# Deleting entity list or IP address list
When you no longer want to keep a list entry in your entity set or IP address set, you can delete it. It might take a few minutes for the process to complete. For more information, see [Important considerations for GuardDuty lists](guardduty_upload-lists.md#guardduty-lists-entity-sets-considerations).
If the status of the list is **Activating** or **Deactivating**, you must wait for a few minutes before performing any action. For more information, see [Understanding list statuses](guardduty_upload-lists.md#guardduty-entity-list-statuses).
Choose one of the access methods to delete the list.
------
#### [ Console ]
**To delete entity list or IP address list**
1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).
1. In the navigation pane, choose **Lists**.
1. On the **List** page, select the tab in which you want to delete the list - **Entity lists** or **IP address list**.
1. In the selected tab, select the list that you want to delete.
1. Choose **Actions**, and then choose **Delete**.
The list status will change to **Delete Pending**. It might take a few minutes for the list to get deleted.
------
#### [ API/CLI ]
To begin with the following procedures, you need the ID, such as `trustedEntitySetId`, `threatEntitySetId`, `trustedIpSet`, or `threatIpSet`, that is associated with the list resource you want to delete.
**To delete a trusted entity list**
1. Run [DeleteTrustedEntitySet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteTrustedEntitySet.html). Make sure to provide the `detectorId` of the member account for which you want to delete this trusted entity list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
1. Alternatively, you can do this by running the following AWS Command Line Interface command:
```
aws guardduty delete-trusted-entity-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--trusted-entity-set-id d4b94fc952d6912b8f3060768example
```
Replace `detector-id` with the detector ID of the member account for which you will delete the trusted entity list, and other placeholder values that are *shown in red*.
**To deactivate threat entity lists**
1. Run [DeleteThreatEntitySet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatEntitySet.html). Make sure to provide the `detectorId` of the member account for which you want to delete this threat entity list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
1. Alternatively, you can do this by running the following AWS Command Line Interface command:
```
aws guardduty delete-threat-entity-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--threat-entity-set-id d4b94fc952d6912b8f3060768example
```
Replace `detector-id` with the detector ID of the member account for which you will delete the threat entity list, and other placeholder values that are *shown in red*.
**To delete a trusted IP address list**
1. Run [DeleteIPSet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteIPSet.html). Make sure to provide the `detectorId` of the member account for which you want to delete this trusted IP address list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
1. Alternatively, you can do this by running the following AWS Command Line Interface command and make sure to replace the `detector-id` with the detector ID of the member account for which you will delete the trusted IP address list.
```
aws guardduty delete-ip-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--ip-set-id d4b94fc952d6912b8f3060768example
```
Replace `detector-id` with the detector ID of the member account for which you will delete the threat entity list, and other placeholder values that are *shown in red*.
**To delete threat IP list**
1. Run [DeleteThreatIntelSet](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html). Make sure to provide the `detectorId` of the member account for which you want to delete this threat IP address list. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
1. Alternatively, you can do this by running the following AWS Command Line Interface command and make sure to replace the `detector-id` with the detector ID of the member account for which you will delete the threat IP list.
```
aws guardduty delete-threat-intel-set \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--threat-intel-set-id d4b94fc952d6912b8f3060768example
```
Replace `detector-id` with the detector ID of the member account for which you will delete the threat entity list, and other placeholder values that are *shown in red*.
------