EDR-Telemetry icon indicating copy to clipboard operation
EDR-Telemetry copied to clipboard
verified publisher icon tsale

feat: Add JA3/S and JA4 hashing algorithms.

Open xg5-simon opened this issue 1 year ago • 3 comments

An increasing number of EDR products (AFAIK - Carbon Black & MDE) are capable of network level inspection and calculating JA3 to identify malicious network communication. This feature request proposes adding JA3 and JA4 to hashing algorithms.

xg5-simon avatar Nov 20 '24 03:11 xg5-simon

Can you show me a screenshot of CB and MDE that contain those hashes?

tsale avatar Dec 01 '24 18:12 tsale

@tsale For MDE the JA3 / JA3S hashes are stored in the DeviceNetworkEvents table:

Image

jonade avatar Feb 19 '25 08:02 jonade

Can confirm that Uptycs also collects JA3 telemetry for SSL connections.

This could be a helpful feature, especially with the challenges of so few EDRs having HTTP visibility. One challenge we might have is that JA3 has some known issues, and JA4 is really the standard that should be used now.

Alternatively, if an EDR captures the HELO SSL traffic, they can generate the JAR3/4 with that data.

joshlemon avatar Apr 02 '25 04:04 joshlemon

We're exploring the possibility of adding this as a new sub-category and marking the EDRs mentioned in this thread as implemented.

@joshlemon & @xg5-simon - Could you please provide some evidence here or to me privately?

tsale avatar Aug 25 '25 16:08 tsale

Implemented - #122 - Thank you, everyone!!

tsale avatar Sep 07 '25 17:09 tsale