MISP Warning Lists (Beta)
Enrich incoming events with indicator context from MISP warning lists
Overview
Malware Information Sharing Platform (MISP) warning lists are collections of known, non-malicious indicators that can be associated to potential false positives or errors in threat intelligence. This context can help you evaluate the relevance and validity of Indicators of Compromise (IoCs).
The misp-warninglists
repository on GitHub contains a comprehensive collection of these lists.
Learn how to view stored Enrichment Provider data here, and how to view log events with enrichment data here.
How MISP enrichment works
When the MISP warning lists Enrichment Provider is enabled:
If an incoming log has the
p_any_ip_addresses
field, each value contained within will be checked against all MISP warning lists where"type": "cidr"
.If an IP address in
p_any_ip_addresses
appears in anycidr
MISP warning lists, amisp_warning_lists
object will be added in the log'sp_enrichment
object.
Setting up MISP warning lists enrichment
How to set up MISP warning lists enrichment in the Panther Console
In the left-hand navigation bar in your Panther Console, click Detections.
Click the Packs tab.
Search for "MISP," and on the MISP Warning Lists Lookup Tables tile, click the Enabled toggle
ON
.In the pop-up confirmation modal, click Continue.
To verify the Lookup Table is enabled, from the left sidebar menu, click Configure > Enrichment Providers.
On this page, you can see Panther-managed Enrichment Providers. You can also see whether each source is currently enabled or disabled, and when a source’s data was last refreshed.
Example event enriched with MISP warning lists data
Below is a Snowflake.LoginHistory
log enriched with MISP data. The misp_warning_lists
object within p_enrichment
contains additional information about an IP address found in the p_any_ip_adresses
field.
{
"p_enrichment": {
"misp_warning_lists": {
"p_any_ip_addresses": [
{
"cidr": "35.160.0.0/12",
"p_match": "35.166.231.222",
"warning_lists": [
{
"description": "Amazon AWS IP address ranges (https://ip-ranges.amazonaws.com/ip-ranges.json)",
"id": "amazon-aws",
"name": "List of known Amazon AWS IP address ranges",
"version": 20250719
}
]
}
]
}
},
"CLIENT_IP": "35.166.231.222",
"EVENT_ID": "1829252345804554",
"EVENT_TIMESTAMP": "2025-09-08 10:42:59.934000000",
"EVENT_TYPE": "LOGIN",
"FIRST_AUTHENTICATION_FACTOR": "PASSWORD",
"IS_SUCCESS": "YES",
"RELATED_EVENT_ID": "0",
"REPORTED_CLIENT_TYPE": "GO_DRIVER",
"REPORTED_CLIENT_VERSION": "1.13.2",
"USER_NAME": "SOME_USER"
}
Last updated
Was this helpful?