โ
Case #414
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
low
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_DOCUMENT
Confidence: 60% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Users\Joy Howell\AppData\Local\Temp\{6BD9B767-6565-4B48-AD31-BD7735D9F9ED}-MicrosoftEdge_X64_146.0.3856.72_146.0.3856.62.exe
HASH:
92bb307e9b0a7a65390e7bad6ead7bb5bfeb66f523a836ccd8ee6c8a4b72859c
PROCESS_ID:
11316
IOCs:
FILE_PATH: C:\Users\Joy Howell\AppData\Local\Temp\{6BD9B767-6565-4B48-AD31-BD7735D9F9ED}-MicrosoftEdge_X64_146.0.3856.72_146.0.3856.62.exe
PROCESS_ID: 11316
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Users\\Joy Howell\\AppData\\Local\\Temp\\{6BD9B767-6565-4B48-AD31-BD7735D9F9ED}-MicrosoftEdge_X64_146.0.3856.72_146.0.3856.62.exe",
"HASH": "92bb307e9b0a7a65390e7bad6ead7bb5bfeb66f523a836ccd8ee6c8a4b72859c",
"PROCESS_ID": 11316
},
"routing": {
"arch": 2,
"did": "",
"event_id": "cde25c1d-57ce-479d-9876-e7632c0ce892",
"event_time": 1774164830683,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 368,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "15b026aa8514642d084a262969b0ff42",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "ff975e085ed7683d7224ff0b69bf9b5e"
}
},
"detect_id": "44c063d4-df1f-47df-9428-704169bf9b5f",
"gen_time": 1774164831052,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774164830\u0026selected=ff975e085ed7683d7224ff0b69bf9b5e",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "cde25c1d-57ce-479d-9876-e7632c0ce892",
"event_time": 1774164830683,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 368,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "15b026aa8514642d084a262969b0ff42",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "ff975e085ed7683d7224ff0b69bf9b5e"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774164831000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.6,
"false_positive_reason": "Microsoft Edge installation files in Temp directory are legitimate during software updates",
"investigation_questions": [
"Is this file being executed or just written to disk?",
"What user account triggered this installation/update process?"
],
"ioc_analysis": "The file path contains \u0027MicrosoftEdge_X64\u0027 indicating it is related to Microsoft Edge browser installation. The presence of this file in AppData\\Local\\Temp is typical for Windows Update processes or legitimate software installation activities.",
"iocs_extracted": [
"FILE_PATH: C:\\Users\\Joy Howell\\AppData\\Local\\Temp\\{6BD9B767-6565-4B48-AD31-BD7735D9F9ED}-MicrosoftEdge_X64_146.0.3856.72_146.0.3856.62.exe",
"PROCESS_ID: 11316"
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Monitor for file persistence or execution outside of expected locations",
"Verify the file is signed by Microsoft",
"Check if this is part of a Windows Update process"
],
"risk_score": 15,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udde0 dgx-122b Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThis detection is a false positive because the file path indicates Microsoft Edge installation files in a temporary directory, which is common during software updates or installations.\n\n**IOC Analysis:** The file path contains \u0027MicrosoftEdge_X64\u0027 indicating it is related to Microsoft Edge browser installation. The presence of this file in AppData\\Local\\Temp is typical for Windows Update processes or legitimate software installation activities.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.3\nThe detection event flagged a new file write in the Temp directory with a suspicious GUID-based name resembling Microsoft Edge. Given the rule\u0027s history of false positives and the file\u0027s location, it is likely benign.\n\n**IOC Analysis:** The FILE_PATH is located in C:\\Users\\AppData\\Local\\Temp, which is not a standard directory for system binaries, raising suspicion. The HASH is not verified against known Microsoft-signed binaries, and while the file name includes \u0027MicrosoftEdge\u0027, the unique GUID and atypical location suggest obfuscation rather than malicious intent, aligning with false positive scenarios.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 90% confidence)",
"deepseek-r1:8b: false_positive (low, 30% confidence)"
],
"votes": [
{
"confidence": 0.9,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.3,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Persistence Check: 0 events found | ||
| recommended | executed | File Activity Investigation: 0 events found | ||
| recommended | executed | Process Tree Investigation: 28 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-22T23:44
๐ค FusionSOC AI
2026-03-22T23:44
๐ค FusionSOC AI
2026-03-22T23:44
๐ค FusionSOC AI
2026-03-22T23:44
๐ค FusionSOC AI
2026-03-22T23:44
๐ Timeline
2026-03-23T01:43:36
analyst
Status changed: investigating โ closed
2026-03-23T01:43:25
analyst
Analyst classified as False Positive (FP)
2026-03-22T23:44:04
FusionSOC AI
Status changed: investigating โ investigating
2026-03-22T23:44:04
FusionSOC
Action recommended โ executed: Process Tree Investigation: 28 events found
2026-03-22T23:44:04
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Check if this is part of a Windows Update process **Sensor:** `8f3a47be-5629...
2026-03-22T23:44:03
FusionSOC
Response action queued: recommended on Check if this is part of a Windows Update process
2026-03-22T23:44:03
FusionSOC AI
Status changed: investigating โ investigating
2026-03-22T23:44:03
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-22T23:44:03
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Verify the file is signed by Microsoft **Sensor:** `8f3a47be-5629-4c...` **...
2026-03-22T23:44:01
FusionSOC
Response action queued: recommended on Verify the file is signed by Microsoft
2026-03-22T23:44:01
FusionSOC AI
Status changed: investigating โ investigating
2026-03-22T23:44:01
FusionSOC
Action recommended โ executed: Persistence Check: 0 events found
2026-03-22T23:44:01
FusionSOC AI
Note by FusionSOC AI: ## ๐ Persistence Check **Action:** Monitor for file persistence or execution outside of expected locations **Sensor:** `...
2026-03-22T23:44:00
FusionSOC
Response action queued: recommended on Monitor for file persistence or execution outside of expected locations
2026-03-22T23:44:00
FusionSOC AI
Status changed: open โ investigating
2026-03-22T23:44:00
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-22T23:44:00
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-22T23:44:00
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-22T23:44:00
FusionSOC
Action tag โ executed: Tag applied
2026-03-22T23:44:00
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-22T23:44:00
FusionSOC AI
Detection 44c063d4-df1f-47df-9428-704169bf9b5f triaged as false_positive (low severity, confidence: 60%)
2026-03-22T23:44:00
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB