JA3 Fingerprint Blacklist
TI Feed Ja3blacklist
Query
let JA3Feed = externaldata(ja3_md5:string) [@"https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv"] with (format="txt", ignoreFirstRecord=True);
// Extract JA3 Hashes From Feed
let ExtractedJA3Hashes = JA3Feed
| extend JA3Hash = extract('[a-f0-9]{32}', 0, ja3_md5)
| where isnotempty(JA3Hash)
| distinct JA3Hash;
DeviceNetworkEvents
| where isnotempty(parse_json(AdditionalFields).ja3)
| extend JA3 = tostring(parse_json(AdditionalFields).ja3)
| where JA3 in~ (ExtractedJA3Hashes)
| project-reorder Timestamp, DeviceName, RemoteIP, RemoteUrl, JA3About this query
JA3 Fingerprint Blacklist
Source: https://sslbl.abuse.ch/blacklist/#ja3-fingerprints-csv
Feed information: https://sslbl.abuse.ch/blacklist/#ja3-fingerprints-csv
Feed link: https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv
Defender XDR
Sentinel
let JA3Feed = externaldata(ja3_md5:string) [@"https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv"] with (format="txt", ignoreFirstRecord=True);
// Extract JA3 Hashes From Feed
let ExtractedJA3Hashes = JA3Feed
| extend JA3Hash = extract('[a-f0-9]{32}', 0, ja3_md5)
| where isnotempty(JA3Hash)
| distinct JA3Hash;
DeviceNetworkEvents
| where isnotempty(parse_json(AdditionalFields).ja3)
| extend JA3 = tostring(parse_json(AdditionalFields).ja3)
| where JA3 in~ (ExtractedJA3Hashes)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemoteUrl, JA3
Explanation
This query is designed to identify network events on devices that match known malicious JA3 fingerprints. JA3 fingerprints are used to identify SSL/TLS clients based on their handshake characteristics, which can be useful for detecting malicious activity.
Here's a simple breakdown of what the query does:
-
JA3 Fingerprint Blacklist Source: The query uses a blacklist of JA3 fingerprints from a source that tracks malicious SSL/TLS clients.
-
Loading the Blacklist: It loads the blacklist data from a CSV file hosted online. This file contains JA3 hashes, which are unique identifiers for SSL/TLS client configurations.
-
Extracting JA3 Hashes: The query extracts valid JA3 hashes from the blacklist data. It ensures that only non-empty, distinct hashes are considered.
-
Device Network Events: The query then examines network events from devices, specifically looking at additional fields in the event data to find JA3 fingerprints.
-
Matching Against Blacklist: It checks if the JA3 fingerprints from the device network events match any of the extracted JA3 hashes from the blacklist.
-
Output: For any matches found, the query outputs relevant information such as the timestamp, device name, remote IP, remote URL, and the JA3 fingerprint itself. The output columns are slightly different between the Defender XDR and Sentinel versions, with the main difference being the timestamp column name (
Timestampvs.TimeGenerated).
In summary, this query helps in identifying potentially malicious network activities by comparing device network events against a known blacklist of JA3 fingerprints.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators