โ
Case #557
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
high
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 62% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\MpDefenderCoreService.exe
HASH:
a5b33494bf5631932672f781c2eb3d720e9cc582ad299051ce3a16468278987d
PROCESS_ID:
17988
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpDefenderCoreService.exe",
"HASH": "a5b33494bf5631932672f781c2eb3d720e9cc582ad299051ce3a16468278987d",
"PROCESS_ID": 17988
},
"routing": {
"arch": 2,
"did": "",
"event_id": "a6cdb94a-a16c-407d-b273-46ac29f55d30",
"event_time": 1774468112799,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 5378,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "d2e3fcff74cd4ed790badd6e69c43c15"
}
},
"detect_id": "05274ef7-15ee-4a64-8c3e-60e069c43c16",
"gen_time": 1774468118177,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468112\u0026selected=d2e3fcff74cd4ed790badd6e69c43c15",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "a6cdb94a-a16c-407d-b273-46ac29f55d30",
"event_time": 1774468112799,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 5378,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "d2e3fcff74cd4ed790badd6e69c43c15"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774468118000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 1,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 71
}
}
}
๐ค Triage JSON
{
"confidence": 0.617,
"false_positive_reason": null,
"investigation_questions": [],
"ioc_analysis": "",
"iocs_extracted": [],
"mitre_techniques": [],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"Manual review required"
],
"risk_score": 23,
"severity": "high",
"summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection is a false positive because the process is a legitimate Windows Defender update component running from a temporary directory with Microsoft signing.\n\n**IOC Analysis:** MpDefenderCoreService.exe is a known Windows Defender update helper that runs in C:\\Windows\\Temp during updates. The child process MpSigStub.exe confirms this is an official Microsoft-signed update payload, not malware.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection is likely a false positive as the file and process are associated with legitimate system updates, and investigations found no malicious activity.\n\n**IOC Analysis:** The file path is in C:\\Windows\\Temp, which is commonly used for temporary files and legitimate updates. The process name and hash may relate to Microsoft Defender or similar legitimate software. Investigation confirmed no suspicious behavior, and multiple AI models and analyst feedback classify this as benign.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 3,
"vote_summary": [
"gemini-cli: true_positive (medium, 0% confidence)",
"qwen3.5:4b +RAG: false_positive (informational, 95% confidence)",
"deepseek-r1:8b +RAG: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.0,
"model": "gemini-cli",
"verdict": "true_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"had_rag": true,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (8)
๐ค FusionSOC AI
2026-03-25T22:41
๐ค FusionSOC AI
2026-03-25T22:41
๐ค FusionSOC AI
2026-03-25T22:24
๐ค FusionSOC AI
2026-03-25T22:24
๐ค FusionSOC AI
2026-03-25T22:24
๐ค FusionSOC AI
2026-03-25T21:34
๐ค FusionSOC AI
2026-03-25T21:34
๐ค FusionSOC AI
2026-03-25T21:34
๐ Timeline
2026-03-26T14:34:17
analyst
Status changed: investigating โ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T22:41:58
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T22:41:40
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:41:40
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:41:40
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T22:41:39
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T22:41:39
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:41:39
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:24:19
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ FALSE POSITIVE) - gemini-cli: false_positive (low, 98% c...
2026-03-25T22:24:03
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:24:03
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:24:03
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Consider tuning the rule to exclude signed Microsoft binaries from common update...
2026-03-25T22:24:03
FusionSOC
Response action queued: recommended on Consider tuning the rule to exclude signed Microsoft binaries from common update paths like C:\Windows\Temp\*
2026-03-25T22:24:03
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:24:03
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:24:03
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required. This appears to be a legitimate update activity. **Sensor:**...
2026-03-25T22:24:02
FusionSOC
Response action queued: recommended on No action required. This appears to be a legitimate update activity.
2026-03-25T22:24:02
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:24:02
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:34:41
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T21:34:21
FusionSOC AI
Status changed: open โ investigating
2026-03-25T21:34:21
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T21:34:21
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T21:34:20
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T21:34:20
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T21:34:20
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:34:20
FusionSOC AI
Detection 05274ef7-15ee-4a64-8c3e-60e069c43c16 triaged as true_positive (medium severity, confidence: 0%)
2026-03-25T21:34:20
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB