Ja3 Hashes are cross-referenced with a database to provide more information on a particular incident or notable event. To view the information for a Ja3 hash:
-
Click the Hunt tab, and then click Activity.
The Activity page appears and displays the dynamic chart and Hunt Activity table with a list of the most recent incidents.
If any instance of Ja3HashInvestigationArtifact is present in the Hunt Activity table, do one of the following:Click Ja3HashInvestigationArtifact in the legend under the dynamic chart.Type entry_type:*Ja3HashInvestigationArtifact* in the Discover search bar and initiate the search.A list of the Ja3Hash events appears in the Hunt Activity table. -
Click the + icon to the left of the Timestamp for an event.
Two tabs appear below that event. -
Click the JSON tab.
The JSON tab appears with a list of values, including _score and _source. -
To expand the JSON tab, click the _source value.
Additional values appear, including ja3hash_info. -
Click the ja3hash_info value to view additional details.