From f063e2e63894034cd1d166e5f5313ea2ba2f7c75 Mon Sep 17 00:00:00 2001
From: Sascha Rommelfangen <sascha@rommelfangen.de>
Date: Wed, 15 May 2019 13:28:02 +0200
Subject: [PATCH] Update README.md

---
 faq/README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/faq/README.md b/faq/README.md
index cb65b33..41e3c18 100644
--- a/faq/README.md
+++ b/faq/README.md
@@ -374,6 +374,22 @@ SG Option 2 (b has to pull from C):
 This is not possible yet.
 What you can do at the moment: Create a new event and extend it with the other (foreign) event.
 
+
+## How to use the enforceWarninglist parameter in REST search?
+
+If you would like to export IoCs, for example into a suricata rule and exclude all values matching your warning lists, you can use the following:
+
+```
+{
+    "returnFormat": "suricata",
+    "eventid": "24344",
+    "published": 0,
+    "enforceWarninglist": 1
+}
+```
+
+Keep in mind that unpublished events need the `"published": 0` parameter in order to be exported.
+
 <!-- 
   Comment Place Holder
   -->