# MISP Warning Lists ## Overview You can use Malware Information Sharing Platform (MISP) warning lists as an enrichment source in Panther. MISP warning lists are collections of known, non-malicious indicators that can be associated to potential false positives or errors in threat intelligence. This context can help you evaluate the relevance and validity of Indicators of Compromise (IoCs). The [`misp-warninglists` repository on GitHub](https://github.com/MISP/misp-warninglists) contains a comprehensive collection of these lists. Learn how to [view stored enrichment data here](/enrichment.md#viewing-and-managing-enrichments), and how to [view log events with enrichment data here](/enrichment.md#viewing-log-events-with-enrichment-data). ## How MISP enrichment works When MISP warning lists enrichment is enabled: 1. If an incoming log has the `p_any_ip_addresses` field, each value contained within will be checked against all MISP warning lists where `"type": "cidr"`. 2. If an IP address in `p_any_ip_addresses` appears in any `cidr` MISP warning lists, a `misp_warning_lists` object will be added in the log's `p_enrichment` object. * See an [example of an event enriched with MISP warning list data below](#example-event-enriched-with-misp-warning-lists-data). ## Setting up MISP warning lists enrichment {% tabs %} {% tab title="Console" %} **How to set up MISP warning lists enrichment in the Panther Console** 1. In the left-hand navigation bar in your Panther Console, click **Detections**. 2. Click the **Packs** tab. 3. Search for "MISP," and on the **MISP Warning Lists Lookup Tables** tile, click the **Enabled** toggle `ON`. 4. In the pop-up confirmation modal, click **Continue**. 5. To verify the Enrichment is enabled, from the left sidebar menu, click **Configure** > **Enrichments.** * On this page, you can see all enrichment sources, whether each source is currently enabled or disabled, and when a source’s data was last refreshed. {% endtab %} {% tab title="CLI" %} **How to set up MISP Warning Lists enrichment in the CLI workflow** * To set up MISP warning lists enrichment in the CLI workflow, follow the instructions for Panther-managed enrichment sources on [Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool](/panther-developer-workflows/detections-repo/pat/managing-enrichment.md). Take note that: * CLI users do not need to use Detection Packs to get MISP warning lists enrichment tables. You can pull in the latest release of [`panther-analysis`](https://github.com/panther-labs/panther-analysis) and use the [`panther_analysis_tool` (PAT)](/panther-developer-workflows/detections-repo/pat.md) to upload the MISP warning lists enrichment tables. * To enable the MISP warning lists tables using the [`panther-analysis`](https://github.com/panther-labs/panther-analysis) repository, make sure to open each corresponding YAML configuration file and set `enabled: true`. * It is possible for CLI users to enable MISP warning lists enrichment via Detection Packs (as is shown in the **Console** tab), as long as you do not customize the MISP warning lists tables using PAT. * If you choose to manage MISP warning lists enrichment through PAT after enabling it in the Panther Console, you must first disable the Packs in the Panther Console. Simultaneous use of both the Panther Console and PAT to manage MISP warning lists is not supported. * For more information on how to manage MISP warning lists enrichment, please see the [MISP files in the `panther-analysis` GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/lookup_tables/misp). {% endtab %} {% endtabs %} ## Example event enriched with MISP warning lists data Below is a [`Snowflake.LoginHistory`](https://docs.panther.com/enrichment/pages/BMmGax6tT4tPDDM7IeqG#snowflake.loginhistory) log enriched with MISP data. The `misp_warning_lists` object within `p_enrichment` contains additional information about an IP address found in the `p_any_ip_adresses` field. ```json { "p_enrichment": { "misp_warning_lists": { "p_any_ip_addresses": [ { "cidr": "35.160.0.0/12", "p_match": "35.166.231.222", "warning_lists": [ { "description": "Amazon AWS IP address ranges (https://ip-ranges.amazonaws.com/ip-ranges.json)", "id": "amazon-aws", "name": "List of known Amazon AWS IP address ranges", "version": 20250719 } ] } ] } }, "CLIENT_IP": "35.166.231.222", "EVENT_ID": "1829252345804554", "EVENT_TIMESTAMP": "2025-09-08 10:42:59.934000000", "EVENT_TYPE": "LOGIN", "FIRST_AUTHENTICATION_FACTOR": "PASSWORD", "IS_SUCCESS": "YES", "RELATED_EVENT_ID": "0", "REPORTED_CLIENT_TYPE": "GO_DRIVER", "REPORTED_CLIENT_VERSION": "1.13.2", "USER_NAME": "SOME_USER" } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/enrichment/misp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.