TLS fingerprinting is available with the 7.1.0 release of Carbon Black EDR (for Carbon Black EDR Windows 7.0.0 and higher sensors only). It provides additional endpoint telemetry that can be delivered to the Carbon Black EDR server, and used for narrowing investigations of known malware by identifying known TLS fingerprints.

TLS fingerprints can be specified as IOCs in custom threat feeds. See Threat Intelligence Feeds.

TLS fingerprints can be used in the following ways.

Process Search

TLS fingerprints are searchable via Process Search. See Overview of Process Search. For example:

cbr-ja3-search

Process Analysis

TLS fingerprints display in the Process Analysis page (under netconn events), and as quick filters. See Process Search and Analysis and Process Event Filters.

Watchlists

TLS fingerprints can be used in watchlists. See Watchlists. For example, to create a TLS fingerprint watchlist:

cbr-ja3-create-watchlist

In addition, TLS fingerprints can trigger an alert, email or syslog event.