Ja3er

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Query the ja3er API for MD5 hashes of JA3 fingerprints.

Configure Ja3er on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Ja3er.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Trust any certificate (not secure)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ja3-search#


Search for "User-Agents" matching an MD5 hash of a JA3 fingerprint.

Base Command#

ja3-search

Input#

Argument NameDescriptionRequired
JA3MD5 hash of the JA3 fingerprint.Required

Context Output#

PathTypeDescription
JA3.CountNumberNumber of times seen
JA3.Last_seenDateLast seen date
JA3.User-AgentStringUser-Agent

Command Example#

!ja3-search JA3=dda20ec0e6a8d4279860

Context Example#

{
"JA3": {
"dda20ec0e6a8d4279860": [
{
"Count": 45,
"Last_seen": "2020-12-03 19:19:15",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.60 Safari/537.36"
},
{
"Count": 32,
"Last_seen": "2021-02-11 20:41:53",
"User-Agent": "PostmanRuntime/7.26.8"
},
{
"Count": 22,
"Last_seen": "2020-07-14 10:18:18",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
}
]
}
}

Human Readable Output#

Search results for dda20ec0e6a8d4279860#

CountLast_seenUser-Agent
452020-12-03 19:19:15Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.60 Safari/537.36
322021-02-11 20:41:53PostmanRuntime/7.26.8
222020-07-14 10:18:18Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36