JA4+ Fingerprinting: The new weapon for analysts, now integrated into TheHive

With so much network traffic now encrypted, spotting threats without decrypting data has become a real challenge. That’s why many SOC, CERT and CSIRT teams are turning to smarter techniques like JA4 to detect threats without decrypting traffic. One of the most promising approaches to this issue lies in TLS fingerprinting.

Before JA4, its earlier generations, like JA3, laid the groundwork for this technique. However, with the rise of evasion mechanisms like GREASE and the dynamic reordering of TLS extensions (changing the order of connection settings to avoid being recognized), JA3 started showing its limitations.

This is where JA4 comes in—a more robust, readable and operationally adapted fingerprinting method for incident response teams.

Did you know that JA4 signatures can now be natively analyzed and correlated in TheHive, our Security Case Management Platform?

JA4 is a TLS fingerprinting method developed by Salesforce. To extend this approach to other protocols, FoxIO later released the JA4+ suite, which makes it possible to identify clients, servers and network behavior based not only on TLS characteristics but also on protocols like HTTP, TCP and SSH.

The JA4+ suite includes 10 fingerprinting methods:

Each fingerprint is composed of readable, structured segments, allowing for easier interpretation and more precise searching. Unlike JA3, JA4 sorts TLS extensions by type rather than by order of appearance, making the fingerprint much more stable.

JA3 was widely adopted but suffers from key limitations:

The transition to JA4+ is even more relevant now that major players like Cloudflare, AWS, VirusTotal and NetWitness are adopting it.

JA4 and JA4H fingerprints can be leveraged in multiple operational contexts to improve detection, triage and investigation workflows:

1. Identify offensive tools
Certain JA4 signatures are unique to frameworks like Cobalt Strike, Metasploit or other common implants. These fingerprints become IOCs in themselves.

2. Detect C2 and malicious infrastructure
Encrypted communications with command servers can be identified by their TLS or HTTP behavior using JA4 and JA4H segments.

3. Reduce false positives
Because JA4 fingerprints are more stable, detections and correlations are more reliable—reducing alert noise.

4. Enrich investigations & pivot efficiently
JA4 fingerprints link multiple events to a shared network behavior, simplifying cross-source analysis.

StrangeBee provides a ready-to-use JA4+ analyzer connected to the public FoxIO database. It enables direct lookups for exact matches on User-Agent or JA4+ fingerprints (across all protocols) within TheHive.

A key advantage: the analyzer can be safely used on highly sensitive observables, including TLP:RED, since all comparisons are performed locally (offline)!

It’s included in the StrangeBee catalog. Simply update your analyzer list and activate it in Cortex—no subscription or account needed!

• User-Agent: The observable is compared against the user_agent_string field in the FoxIO database to look for an exact match. This type of observable is natively supported in TheHive.
• JA4-Fingerprint: The observable is compared against all fields in the FoxIO database to look for an exact match. This type of observable must be created beforehand in TheHive.

* Fields include:
ja4_fingerprint, ja4_fingerprint_string, ja4s_fingerprint, ja4h_fingerprint, ja4x_fingerprint, ja4t_fingerprint, ja4ts_fingerprint, ja4tscan_fingerprint

With notifications, you can automatically trigger the JA4 analyzer when an observable of type user-agent or ja4-fingerprint is created:

• Trigger: An observable of type user-agent or ja4-fingerprint is created
• Action: Run the Cortex JA4 analyzer on the observable
• Result: Automatic enrichment (analysis report, tags)

From faster workflows to deeper context, here’s what security operations teams can expect with JA4+ in TheHive:

• Saving time: Enrich observables and IOCs directly within your Case Management Platform
• Visibility: Correlate cases and alerts based on JA4+ observables & IOCs
• Flexibility: Support for all JA4 Fingerprinting methods

JA4 is being increasingly adopted across the cybersecurity industry. In every segment, leading players are embracing this technology:

• Proxies: Nginx
• NDS/NDR: Zeek, Suricata, NetQuest, Vectra
• Firewalls/WAF: AWS WAF, Google Cloud Armor, F5 BIG-IP, Fortinet, Cloudflare
• Threat Intel: VirusTotal, MISP, GreyNoise
• SIEM/EDR: NetWitness, Palo Alto Networks XSIAM
• Forensics: Wireshark, Netresec, nfdump

This momentum shows that JA4 is on its way to becoming a standard not only for detecting suspicious events, but also for enriching observables and IOCs.

Get the most value from JA4 by using it thoughtfully across your detection and investigation workflows:

1. Collect JA4 fingerprints in monitoring and detection systems (Proxies, SIEM, WAF…)
2. Include fingerprints in TheHive’s alerts and cases to enable correlation with past or future events
3. Filter fingerprints to watch for anomalies or new behaviors in your network
4. Combine multiple methods (e.g., JA4 + JA4H) to avoid false positives
5. Use JA4 as an investigation aid, not a sole decision factor (e.g., don’t block traffic based only on it)

JA4+ Fingerprinting marks a pivotal advancement in detection methods for incident response teams. Its structure, robustness and readability make it an ideal tool for encrypted environments.

By integrating JA4+ into TheHive, you accelerate investigations, enhance correlation and automate enrichment—while benefiting from the full power of the JA4/FoxIO ecosystem.