CreateIPSet
AWS
CreateIPSet
Event
Creates a GuardDuty IP set — a list of trusted or known malicious IP addresses used in threat intelligence.
Security Context
- Disabling security monitoring tools eliminates visibility into adversary activity, allowing subsequent attack stages to proceed undetected.
Log Source
CloudTrail
Sample Event
Adversarial. Draco uploads a single-IP text file (containing 203.0.113.66) to a bucket the GuardDuty service can read, then calls CreateIPSet with activate: true to register it as a trusted IP set. While active, GuardDuty will not generate findings for activity originating from 203.0.113.66. This neutralizes the entire family of UnauthorizedAccess:IAMUser/MaliciousIPCaller-style findings without leaving traces in ArchiveFindings events.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T23:09:51Z", "eventSource": "guardduty.amazonaws.com", "eventName": "CreateIPSet", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "detectorId": "60000000000040008000001010011010", "name": "trusted-internal-scanners", "format": "TXT", "location": "https://s3.amazonaws.com/draco-exfil-bucket-666/trusted-ips-666.txt", "activate": true }, "responseElements": { "ipSetId": "60000000000040008000001010011011" }, "requestID": "90000000-0000-4000-8000-000010001100", "eventID": "90000000-0000-4000-8000-000010001101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...