SSL/TLS Inspection & Decryption Logs
Location
TLS inspection appliance logs (Palo Alto SSL Decryption, Zscaler, Blue Coat, F5 SSL Orchestrator)Description
Logs from SSL/TLS inspection appliances performing man-in-the-middle decryption of encrypted traffic. Records certificate details, cipher suites negotiated, decryption success/failure, and policy decisions for encrypted sessions.
Forensic Value
TLS inspection logs reveal encrypted C2 channels and data exfiltration that would be invisible to other network monitoring. Decryption failure events are significant because they may indicate certificate pinning used by malware to prevent inspection. Certificate details from inspected sessions can identify self-signed or anomalous certificates used by C2 infrastructure. Sessions bypassing inspection due to policy exceptions may represent blind spots exploited by attackers. JA3 fingerprints from TLS handshakes identify specific malware families and tools.
Tools Required
Collection Commands
tshark
tshark -r capture.pcap -Y "ssl.handshake.type==1" -T fields -e ip.src -e ip.dst -e ssl.handshake.extensions_server_name -e ssl.handshake.ja3 > tls_handshakes.txt
Splunk
index=tls_inspection earliest=-7d decrypt_status=failed | stats count by dest_ip, sni, decrypt_reason | sort -count | head 50
Palo Alto CLI
show system setting ssl-decrypt certificate-cache all > ssl_decrypt_cache.txt && show counter global filter aspect proxy | match ssl > ssl_counters.txt