GuardDuty - Building your own threat list

Implementing a threat list with a fictitious address

  1. Navigate to Amazon S3 in the AWS console.

  2. Find the bucket with “-threatlistbucket-” in the name and click on the name. VPC

Here is the bucket that the AWS Workshop account has setup VPC 3. Upload the threat list you created above to the S3 bucket. VPC

  1. Record the S3 URI of the file you have just uploaded. To find the URI, open the bucket, click to open the file, and copy the S3 URI. VPC

  2. Now we will add the list your uploaded to the S3 bucket to the Threat lists in GuardDuty. Return to Amazon GuardDuty.

  3. In the left navigation of GuardDuty, select Lists. VPC

  4. Click the button Add a threat IP list.

VPC

  1. In the List name box, give your list a friendly name like “Test Threat List”.

  2. Under location type the S3 URI for the uploaded file that you recorded earlier.

  3. Select Plaintext as the Format. VPC

  4. Click I Agree and then click Add list

  5. You will need to activate the list once it has been added to GuardDuty. Select the newly added list. Click Actions, and then select Activate. VPC

  6. A green status banner will appear saying “Successfully updated the list…”.

VPC