:doc:`GuardDuty <../../guardduty>` / Client / create_threat_intel_set

***********************
create_threat_intel_set
***********************



.. py:method:: GuardDuty.Client.create_threat_intel_set(**kwargs)

  

  Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/guardduty-2017-11-28/CreateThreatIntelSet>`_  


  **Request Syntax**
  ::

    response = client.create_threat_intel_set(
        DetectorId='string',
        Name='string',
        Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
        Location='string',
        Activate=True|False,
        ClientToken='string',
        Tags={
            'string': 'string'
        },
        ExpectedBucketOwner='string'
    )
    
  :type DetectorId: string
  :param DetectorId: **[REQUIRED]** 

    The unique ID of the detector of the GuardDuty account for which you want to create a ``threatIntelSet``.

     

    To find the ``detectorId`` in the current Region, see the Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`__ API.

    

  
  :type Name: string
  :param Name: **[REQUIRED]** 

    A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.

    

  
  :type Format: string
  :param Format: **[REQUIRED]** 

    The format of the file that contains the ThreatIntelSet.

    

  
  :type Location: string
  :param Location: **[REQUIRED]** 

    The URI of the file that contains the ThreatIntelSet.

    

  
  :type Activate: boolean
  :param Activate: **[REQUIRED]** 

    A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.

    

  
  :type ClientToken: string
  :param ClientToken: 

    The idempotency token for the create request.

    This field is autopopulated if not provided.

  
  :type Tags: dict
  :param Tags: 

    The tags to be added to a new threat list resource.

    

  
    - *(string) --* 

    
      - *(string) --* 

      


  :type ExpectedBucketOwner: string
  :param ExpectedBucketOwner: 

    The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the **location** parameter.

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'ThreatIntelSetId': 'string'
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **ThreatIntelSetId** *(string) --* 

        The ID of the ThreatIntelSet resource.

        
  
  **Exceptions**
  
  *   :py:class:`GuardDuty.Client.exceptions.BadRequestException`

  
  *   :py:class:`GuardDuty.Client.exceptions.InternalServerErrorException`

  
  *   :py:class:`GuardDuty.Client.exceptions.AccessDeniedException`

  