Summary
Implement correlation support for JA4+ fingerprints within misp-workbench to enable pivoting and relationship discovery across events and attributes.
Support correlation on:
- JA4 (TLS client fingerprint)
- JA4S (TLS server fingerprint)
- JA4H (HTTP fingerprint)
- Any future JA4+ variants
Scope
1️⃣ Attribute Support
- Add JA4+ attribute types (if not already present)
- Normalize and index values in OpenSearch
- Ensure keyword-based exact matching
2️⃣ Correlation Engine Integration
-
Include JA4+ types in correlation logic
-
Support:
- Attribute ↔ Attribute correlations
- Event ↔ Event correlations (via shared JA4+)
-
Store correlation metadata (type, count, source events)
3️⃣ API / UI
Constraints
- Exact match only (no fuzzy matching)
- Case-normalized values
- Deduplicate correlations
- Respect visibility / organization boundaries
MVP Checklist
Summary
Implement correlation support for JA4+ fingerprints within misp-workbench to enable pivoting and relationship discovery across events and attributes.
Support correlation on:
Scope
1️⃣ Attribute Support
2️⃣ Correlation Engine Integration
Include JA4+ types in correlation logic
Support:
Store correlation metadata (type, count, source events)
3️⃣ API / UI
Expose JA4+ correlations via:
Allow pivot search by JA4+ value
Constraints
MVP Checklist