โ†

Case #374

general.NEW FILE WRITE BYTES SAMPLE GRAB

high closed false positive

๐Ÿท๏ธ Analyst Verdict Classification

FP by analyst

๐Ÿค– AI Analysis

๐Ÿ”” Detections (1)

New Code Atypical Path high
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_DOCUMENT
Confidence: 85% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Users\Joy Howell\AppData\Local\Temp\{DAA8A02A-9915-4F49-82B4-35EA1D7C963A}-MicrosoftEdge_X64_146.0.3856.62_146.0.3856.59.exe
HASH:
fc36a712dcd2ec58d063afa06d810b36d3999e3fbfdae3e9b662662338785fe0
PROCESS_ID:
11316
IOCs: fc36a712dcd2ec58d063afa06d810b36d3999e3fbfdae3e9b662662338785fe0
MITRE: T1059
Analyst Declaration:
๐Ÿ“„ Raw Detection JSON 
{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Code Atypical Path",
  "detect": {
    "event": {
      "FILE_PATH": "C:\\Users\\Joy Howell\\AppData\\Local\\Temp\\{DAA8A02A-9915-4F49-82B4-35EA1D7C963A}-MicrosoftEdge_X64_146.0.3856.62_146.0.3856.59.exe",
      "HASH": "fc36a712dcd2ec58d063afa06d810b36d3999e3fbfdae3e9b662662338785fe0",
      "PROCESS_ID": 11316
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "3d46682d-595f-42dd-8eb2-19b20a154df6",
      "event_time": 1773797654778,
      "event_type": "NEW_DOCUMENT",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": -518,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "15b026aa8514642d084a262969b0ff42",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_disk",
        "yara_detection_memory"
      ],
      "this": "8c042576b505fe6bd6af1c7369ba0116"
    }
  },
  "detect_id": "77d3e64a-0623-44c3-a0b5-826469ba0116",
  "gen_time": 1773797654259,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1773797654\u0026selected=8c042576b505fe6bd6af1c7369ba0116",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "3d46682d-595f-42dd-8eb2-19b20a154df6",
    "event_time": 1773797654778,
    "event_type": "NEW_DOCUMENT",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": -518,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "15b026aa8514642d084a262969b0ff42",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_disk",
      "yara_detection_memory"
    ],
    "this": "8c042576b505fe6bd6af1c7369ba0116"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
  "ts": 1773797654000
}
๐ŸŒ Threat Intel JSON 
{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 7,
      "type-unsupported": 4,
      "undetected": 65
    }
  }
}
๐Ÿค– Triage JSON 
{
  "confidence": 0.85,
  "false_positive_reason": "Legitimate software update/installation",
  "investigation_questions": [
    "Was this update initiated by the user or an automated system process?"
  ],
  "ioc_analysis": "The file path C:\\Users\\Joy Howell\\AppData\\Local\\Temp and the naming convention {GUID}-MicrosoftEdge_X64_...exe are standard for Microsoft Edge\u0027s background update mechanism. The timing of the event (March 17, 2026) matches the release window for Edge version 146.",
  "iocs_extracted": [
    "fc36a712dcd2ec58d063afa06d810b36d3999e3fbfdae3e9b662662338785fe0"
  ],
  "mitre_techniques": [
    "T1059"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Tune the detection rule to exclude signed Microsoft binaries written to AppData\\Local\\Temp",
    "Close this alert as a False Positive"
  ],
  "risk_score": 17,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection is a false positive triggered by a legitimate Microsoft Edge update installer being written to the user\u0027s temporary directory. The version number (146.0.3856.62) aligns perfectly with the official Microsoft Edge release schedule for March 2026.\n\n**IOC Analysis:** The file path C:\\Users\\Joy Howell\\AppData\\Local\\Temp and the naming convention {GUID}-MicrosoftEdge_X64_...exe are standard for Microsoft Edge\u0027s background update mechanism. The timing of the event (March 17, 2026) matches the release window for Edge version 146.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because the file path indicates Microsoft Edge browser activity in a temporary directory, which is consistent with legitimate Windows behavior. The historical analyst feedback consistently marks similar detections as false positives.\n\n**IOC Analysis:** The file path contains \u0027MicrosoftEdge_X64\u0027 indicating it is related to Microsoft Edge browser updates or downloads. The presence of the file in AppData\\Local\\Temp is standard for temporary files created by legitimate applications. There are no indicators of malicious behavior such as unexpected system paths, unsigned binaries, or suspicious command lines.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.6\nA new file was detected being written to a temporary directory, which is atypical for system binaries but common for legitimate software. The file name resembles Microsoft Edge, but without verification, it could be malicious.\n\n**IOC Analysis:** The FILE_PATH is in C:\\Users\\Joy Howell\\AppData\\Local\\Temp, which is not a standard location for known-good Windows system binaries. The HASH is provided but not verified against known malware databases, and no signature information is available. This location and lack of verification raise suspicion.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 100% confidence)",
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: suspicious (medium, 60% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.6,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}

โš™๏ธ Response Actions

Action Target Status Result
tag 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated executed Tag applied
recommended Manual analyst review required โ€” AI models (majority) executed General Activity Sweep: 0 events found
recommended Tune the detection rule to exclude signed Microsoft binaries written to AppData\Local\Temp executed General Activity Sweep: 0 events found
recommended Close this alert as a False Positive executed General Activity Sweep: 0 events found

๐Ÿ“ Add Note

๐Ÿ’ฌ Notes (4)

๐Ÿค– FusionSOC AI 2026-03-18T01:49
๐Ÿค– FusionSOC AI 2026-03-18T01:49
๐Ÿค– FusionSOC AI 2026-03-18T01:49
๐Ÿค– FusionSOC AI 2026-03-18T01:49

๐Ÿ“œ Timeline

2026-03-18T14:55:47
analyst
Status changed: triaging โ†’ closed
2026-03-18T14:55:45
analyst
Analyst classified as False Positive (FP)
2026-03-18T01:49:04
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-18T01:49:04
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Close this alert as a False Positive **Sensor:** `8f3a47be-5629-4c...` **Time Wi...
2026-03-18T01:49:04
FusionSOC
Response action queued: recommended on Close this alert as a False Positive
2026-03-18T01:49:04
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-18T01:49:04
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Tune the detection rule to exclude signed Microsoft binaries written to AppData\...
2026-03-18T01:49:04
FusionSOC
Response action queued: recommended on Tune the detection rule to exclude signed Microsoft binaries written to AppData\Local\Temp
2026-03-18T01:49:04
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-18T01:49:04
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Manual analyst review required โ€” AI models (majority) **Sensor:** `8f3a47be-5629...
2026-03-18T01:49:03
FusionSOC
Response action queued: recommended on Manual analyst review required โ€” AI models (majority)
2026-03-18T01:49:03
FusionSOC
Action tag โ†’ executed: Tag applied
2026-03-18T01:49:03
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-18T01:49:03
FusionSOC AI
Detection 77d3e64a-0623-44c3-a0b5-826469ba0116 triaged as false_positive (high severity, confidence: 85%)
2026-03-18T01:49:03
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB