Similar to Blacklisted IP, Domain feeds, we have a feed for malicious ssl certificates from https://sslbl.abuse.ch/
The feed contains SHA1 fingerprint for a malicious certificate involved in C2 Communication.
However, i don't see any meta field capturing this info in netwitness.
i can see ssl.ca, ssl.subject, crypto related to TLS Communication.
Is there way to write a parser or so to capture sha1 fingerprint of the SSL Certifciates ?