TI Feed Ja3blacklist

# JA3 Fingerprint Blacklist #### Source: https://sslbl.abuse.ch/blacklist/#ja3-fingerprints-csv #### Feed information: https://sslbl.abuse.ch/blacklist/#ja3-fingerprints-csv #### Feed link: https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv ### Defender For Endpoint ```KQL let JA3Feed = externaldata(ja3_md5:string) [@"https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv"] with (format="txt", ignoreFirstRecord=True); // Extract JA3 Hashes From Feed let ExtractedJA3Hashes = JA3Feed | extend JA3Hash = extract('[a-f0-9]{32}', 0, ja3_md5) | where isnotempty(JA3Hash) | distinct JA3Hash; DeviceNetworkEvents | where isnotempty(parse_json(AdditionalFields).ja3) | extend JA3 = tostring(parse_json(AdditionalFields).ja3) | where JA3 in~ (ExtractedJA3Hashes) | project-reorder Timestamp, DeviceName, RemoteIP, RemoteUrl, JA3 ``` ### Sentinel ```KQL let JA3Feed = externaldata(ja3_md5:string) [@"https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv"] with (format="txt", ignoreFirstRecord=True); // Extract JA3 Hashes From Feed let ExtractedJA3Hashes = JA3Feed | extend JA3Hash = extract('[a-f0-9]{32}', 0, ja3_md5) | where isnotempty(JA3Hash) | distinct JA3Hash; DeviceNetworkEvents | where isnotempty(parse_json(AdditionalFields).ja3) | extend JA3 = tostring(parse_json(AdditionalFields).ja3) | where JA3 in~ (ExtractedJA3Hashes) | project-reorder TimeGenerated, DeviceName, RemoteIP, RemoteUrl, JA3 ```

Explanation

This query retrieves JA3 fingerprints from a blacklist feed and matches them with network events to identify potentially malicious activity. It extracts JA3 hashes from the feed and compares them with JA3 values in network events to flag any matches. The results include information about the device, remote IP, URL, and JA3 fingerprint.

KQL Search

TI Feed Ja3blacklist

Query

Explanation

Details

Actions