JA3 and JA4 fingerprints are methods for identifying TLS clients based on their ClientHello messages. JA3, developed by Salesforce in 2017, creates a 32-character MD5 hash from specific parameters like TLS version, cipher suites, and extensions. Although useful for detecting certain patterns, its granularity can lead to many unique hashes, making it challenging to interpret. Moreover, JA3 primarily focuses on TLS information without incorporating user-agent data, which limits its effectiveness in some contexts. JA4 builds on JA3 by providing a more detailed, multi-part fingerprint that includes information on the type of TLS cipher used and supports newer protocols like TLS 1.3. Its structure helps address issues with hash randomization, offering better resilience against evasion techniques. JA4+ further expands this by incorporating additional protocols and user-agent data, enhancing its utility for threat detection. For effective threat hunting, using a combination of JA3, JA4, and JA4+ fingerprints is essential. This multi-fingerprint approach minimizes false positives and strengthens detection rules, particularly for identifying Command and Control (C2) communications or botnets. Collecting these fingerprints can be easily done with tools like Wireshark, allowing analysts to capture and validate them against threat feeds. Continuous monitoring of these indicators plays a significant role in identifying malicious activity in encrypted environments, where traditional deep packet inspection may not be feasible.