MISP Warning Lists (Beta)

Enrich incoming events with indicator context from MISP warning lists

Overview

MISP Warning Lists enrichment is in open beta starting with Panther version 1.115, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Malware Information Sharing Platform (MISP) warning lists are collections of known, non-malicious indicators that can be associated to potential false positives or errors in threat intelligence. This context can help you evaluate the relevance and validity of Indicators of Compromise (IoCs).

The misp-warninglists repository on GitHub contains a comprehensive collection of these lists.

Learn how to view stored Enrichment Provider data here, and how to view log events with enrichment data here.

How MISP enrichment works

When the MISP warning lists Enrichment Provider is enabled:

If an incoming log has the p_any_ip_addresses field, each value contained within will be checked against all MISP warning lists where "type": "cidr".
If an IP address in p_any_ip_addresses appears in any cidr MISP warning lists, a misp_warning_lists object will be added in the log's p_enrichment object.
- See an example of an event enriched with MISP warning list data below.

Setting up MISP warning lists enrichment

How to set up MISP warning lists enrichment in the Panther Console

In the left-hand navigation bar in your Panther Console, click Detections.
Click the Packs tab.
Search for "MISP," and on the MISP Warning Lists Lookup Tables tile, click the Enabled toggle ON.
In the pop-up confirmation modal, click Continue.
To verify the Lookup Table is enabled, from the left sidebar menu, click Configure > Enrichment Providers.
- On this page, you can see Panther-managed Enrichment Providers. You can also see whether each source is currently enabled or disabled, and when a source’s data was last refreshed.

How to set up MISP Warning Lists enrichment in the CLI workflow

To set up MISP warning lists enrichment in the CLI workflow, follow the instructions for Enrichment Providers on Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool.

Take note that:

CLI users do not need to use Detection Packs to get MISP warning lists Lookup Tables. You can pull in the latest release of panther-analysis and use the panther_analysis_tool (PAT) to upload the MISP warning lists lookup Tables.
- To enable the MISP warning lists tables using the panther-analysis repository, make sure to open each corresponding YAML configuration file and set enabled: true.
It is possible for CLI users to enable MISP warning lists enrichment via Detection Packs (as is shown in the Console tab), as long as you do not customize the MISP warning lists tables using PAT.
- If you choose to manage MISP warning lists enrichment through PAT after enabling it in the Panther Console, you must first disable the Packs in the Panther Console. Simultaneous use of both the Panther Console and PAT to manage MISP warning lists is not supported.
For more information on how to manage MISP warning lists Lookup Tables, please see the MISP files in the panther-analysis GitHub repository.

Example event enriched with MISP warning lists data

Below is a Snowflake.LoginHistory log enriched with MISP data. The misp_warning_lists object within p_enrichment contains additional information about an IP address found in the p_any_ip_adresses field.

{
    "p_enrichment": {
	"misp_warning_lists": {
	    "p_any_ip_addresses": [
		{
		    "cidr": "35.160.0.0/12",
		    "p_match": "35.166.231.222",
		    "warning_lists": [
			{
			    "description": "Amazon AWS IP address ranges (https://ip-ranges.amazonaws.com/ip-ranges.json)",
			    "id": "amazon-aws",
			    "name": "List of known Amazon AWS IP address ranges",
			    "version": 20250719
			}
		    ]
		}
	     ]
        }
    },
    "CLIENT_IP": "35.166.231.222",
    "EVENT_ID": "1829252345804554",
    "EVENT_TIMESTAMP": "2025-09-08 10:42:59.934000000",
    "EVENT_TYPE": "LOGIN",
    "FIRST_AUTHENTICATION_FACTOR": "PASSWORD",
    "IS_SUCCESS": "YES",
    "RELATED_EVENT_ID": "0",
    "REPORTED_CLIENT_TYPE": "GO_DRIVER",
    "REPORTED_CLIENT_VERSION": "1.13.2",
    "USER_NAME": "SOME_USER"
}

PreviousIPinfo NextSnowflake Enrichment (Beta)

Last updated 21 days ago

Was this helpful?