Skip to main content

JARM

Active TLS fingerprinting using JARM

Configure JARM on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for JARM.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

jarm-fingerprint#


Calculate JARM fingerprint by scanning host with multiple TLS packets.

Base Command#

jarm-fingerprint

Input#

Argument NameDescriptionRequired
hostFQDN or IP address to fingerprint. Also supports [https://fqdn:port] format.Required
portPort to fingerprint. If provided overrides the port specified in the host parameter. Default is 443.Optional

Context Output#

PathTypeDescription
JARM.FQDNStringFQDN of the host.
JARM.IPStringIP Address of the host.
JARM.PortNumberTCP port
JARM.TargetStringThe host in the format [IP or FQDN]:Port
JARM.FingerprintStringJARM fingerprint of the host.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!jarm-fingerprint host="google.com" port=443

Context Example#

{
"DBotScore": [
{
"Indicator": "27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92252d",
"Score": 0,
"Type": "jarm",
"Vendor": "JARM"
}
],
"JARM": {
"FQDN": "google.com",
"Fingerprint": "27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92252d",
"Port": 443,
"Target": "google.com:443"
}
}

Human Readable Output#

Results#

FQDNFingerprintPortTarget
google.com27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92252d443google.com:443