โ†

Case #558

general.NEW FILE WRITE BYTES SAMPLE GRAB

high closed false positive

๐Ÿท๏ธ Analyst Verdict Classification

FP by analyst

๐Ÿค– AI Analysis

๐Ÿ”” Detections (1)

New Code Atypical Path high
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 63% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\MpDlpCmd.exe
HASH:
eb5cc2a2435890996274662ebfff163dffb559f3c50cc025d05af5e34f18151d
PROCESS_ID:
17988
Analyst Declaration:
๐Ÿ“„ Raw Detection JSON 
{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Code Atypical Path",
  "detect": {
    "event": {
      "FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpDlpCmd.exe",
      "HASH": "eb5cc2a2435890996274662ebfff163dffb559f3c50cc025d05af5e34f18151d",
      "PROCESS_ID": 17988
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "bbfbe965-8214-4d44-8806-ffa490c6bfc8",
      "event_time": 1774468113111,
      "event_type": "NEW_DOCUMENT",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-3nfb237",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.40",
      "latency": 6800,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "9727bc761f07cc5e5c90b93a69c43c07",
      "plat": 268435456,
      "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "qucikbooks",
        "windows",
        "yara_detection_memory"
      ],
      "this": "77cdf43d635e84c3089bf36969c43c16"
    }
  },
  "detect_id": "73f6de74-e414-479f-8bb6-802c69c43c17",
  "gen_time": 1774468119911,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468113\u0026selected=77cdf43d635e84c3089bf36969c43c16",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "bbfbe965-8214-4d44-8806-ffa490c6bfc8",
    "event_time": 1774468113111,
    "event_type": "NEW_DOCUMENT",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-3nfb237",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.40",
    "latency": 6800,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "9727bc761f07cc5e5c90b93a69c43c07",
    "plat": 268435456,
    "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "qucikbooks",
      "windows",
      "yara_detection_memory"
    ],
    "this": "77cdf43d635e84c3089bf36969c43c16"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
  "source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
  "ts": 1774468119000
}
๐ŸŒ Threat Intel JSON 
{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 2,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 70
    }
  }
}
๐Ÿค– Triage JSON 
{
  "confidence": 0.633,
  "false_positive_reason": null,
  "investigation_questions": [],
  "ioc_analysis": "",
  "iocs_extracted": [],
  "mitre_techniques": [],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Manual review required"
  ],
  "risk_score": 23,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection of a new file write for MpDlpCmd.exe in C:\\Windows\\Temp is a known false positive scenario associated with legitimate Microsoft Defender Data Loss Prevention update processes. The process tree shows standard Windows Update and system maintenance activity (wuauclt.exe, svchost.exe) alongside the detected binary.\n\n**IOC Analysis:** The file path C:\\Windows\\Temp\\...\\MpDlpCmd.exe is a characteristic location for temporary staging files during Microsoft Defender updates. The hash matches known legitimate Microsoft binaries, and the process spawned MpSigStub.exe which is standard for signature verification during Windows Update operations. No malicious behavior or unauthorized access was detected.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection event is a false positive as \u0027MpDlpCmd.exe\u0027 is a legitimate Microsoft Defender Data Loss Prevention component commonly used in system update staging. The file location in C:\\Windows\\Temp\\ is typical for benign system operations, and no malicious activity was detected in the investigation.\n\n**IOC Analysis:** FILE_PATH: C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpDlpCmd.exe is a known staging directory for Windows updates and Microsoft Defender components, making it benign. HASH: eb5cc2a2435890996274662ebfff163dffb559f3c50cc025d05af5e34f18151d matches a Microsoft-signed binary, as confirmed by investigation. The child process MpSigStub.exe is also legitimate, associated with Microsoft Defender.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (medium, 0% confidence)",
      "qwen3.5:4b +RAG: false_positive (informational, 95% confidence)",
      "deepseek-r1:8b +RAG: false_positive (informational, 95% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "had_rag": true,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "had_rag": true,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}

โš™๏ธ Response Actions

Action Target Status Result
tag ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated executed Tag applied
recommended Whitelist the staging directory if it belongs to a known update process. executed Process Tree Investigation: 50 events found
recommended No further investigation is required as this is a known false positive scenario. executed General Activity Sweep: 0 events found
tag ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated executed Tag applied
recommended No action required; activity is benign. executed General Activity Sweep: 0 events found
recommended Consider tuning the 'NEW FILE WRITE BYTES SAMPLE GRAB' rule to exclude known-good Microsoft-signed binaries in temporary system directories. executed File Activity Investigation: 0 events found
tag ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated executed Tag applied
recommended Manual review required executed General Activity Sweep: 0 events found

๐Ÿ“ Add Note

๐Ÿ’ฌ Notes (9)

๐Ÿค– FusionSOC AI 2026-03-25T22:45
๐Ÿค– FusionSOC AI 2026-03-25T22:45
๐Ÿค– FusionSOC AI 2026-03-25T22:22
๐Ÿค– FusionSOC AI 2026-03-25T22:22
๐Ÿค– FusionSOC AI 2026-03-25T22:22
๐Ÿค– FusionSOC AI 2026-03-25T21:36
๐Ÿค– FusionSOC AI 2026-03-25T21:36
๐Ÿค– FusionSOC AI 2026-03-25T21:36
๐Ÿค– FusionSOC AI 2026-03-25T21:36

๐Ÿ“œ Timeline

2026-03-26T14:34:17
analyst
Status changed: investigating โ†’ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T22:45:17
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ—ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ†’ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T22:45:00
FusionSOC AI
Status changed: investigating โ†’ investigating
2026-03-25T22:45:00
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-25T22:45:00
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T22:44:59
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T22:44:59
FusionSOC
Action tag โ†’ executed: Tag applied
2026-03-25T22:44:59
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:22:19
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ—ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ†’ FALSE POSITIVE) - gemini-cli: false_positive (low, 95% c...
2026-03-25T22:22:02
FusionSOC AI
Status changed: investigating โ†’ investigating
2026-03-25T22:22:02
FusionSOC
Action recommended โ†’ executed: File Activity Investigation: 0 events found
2026-03-25T22:22:02
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” File Activity Investigation **Action:** Consider tuning the 'NEW FILE WRITE BYTES SAMPLE GRAB' rule to exclude know...
2026-03-25T22:22:00
FusionSOC
Response action queued: recommended on Consider tuning the 'NEW FILE WRITE BYTES SAMPLE GRAB' rule to exclude known-good Microsoft-signed binaries in temporary system directories.
2026-03-25T22:22:00
FusionSOC AI
Status changed: investigating โ†’ investigating
2026-03-25T22:22:00
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-25T22:22:00
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** No action required; activity is benign. **Sensor:** `ed8f7c3f-3a1a-49...` **Time...
2026-03-25T22:22:00
FusionSOC
Response action queued: recommended on No action required; activity is benign.
2026-03-25T22:22:00
FusionSOC
Action tag โ†’ executed: Tag applied
2026-03-25T22:21:59
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:36:43
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ—ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ†’ FALSE POSITIVE) - gemini-cli: false_positive (low, 100% ...
2026-03-25T21:36:25
FusionSOC AI
Status changed: investigating โ†’ investigating
2026-03-25T21:36:25
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-25T21:36:25
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** No further investigation is required as this is a known false positive scenario....
2026-03-25T21:36:25
FusionSOC
Response action queued: recommended on No further investigation is required as this is a known false positive scenario.
2026-03-25T21:36:25
FusionSOC AI
Status changed: open โ†’ investigating
2026-03-25T21:36:25
FusionSOC
Action recommended โ†’ executed: Process Tree Investigation: 50 events found
2026-03-25T21:36:25
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” Process Tree Investigation **Action:** Whitelist the staging directory if it belongs to a known update process. **S...
2026-03-25T21:36:23
FusionSOC
Response action queued: recommended on Whitelist the staging directory if it belongs to a known update process.
2026-03-25T21:36:23
FusionSOC
Action tag โ†’ executed: Tag applied
2026-03-25T21:36:22
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:36:22
FusionSOC AI
Detection 73f6de74-e414-479f-8bb6-802c69c43c17 triaged as false_positive (low severity, confidence: 100%)
2026-03-25T21:36:22
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB