Support on 'to_ids' and 'warning_list'

[Moorocks]

Hi @remg427 ,

When I read the documentation about warning list it says:

"By default MISP will only trigger hits for warninglists if the attribute IDS flag is set. This behavior can be changed by setting the MISP config parameter MISP.warning_for_all to true."

I have set the MISP.warning_for_all=true in MISP UI (website).

I have 3 queries in regard to this:

1. Let's say that Splunk pulled the threat feed today and we found out that few legitimate domains were added to the feed. So I added these values to the warning lists in MISP UI. Will Splunk set the 'to_ids' parameter to false automatically for those values?
2. What is the purpose of setting warning_list=true? Does this mean that Splunk will return the values within the warning list?
3. is it a best practice to include both ( warning_list=true and to_ids=true ) or is it fine if I use only to_ids=true?

[riccardosl]

Hello, it's also not clear to me how an IoC can be disabled, the IDS flat is set to off in MISP, but on Splunk side how the IoC will be disabled?