โ
Case #563
general.Sensitive Process Accessed
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Sensitive Process Accessed
low
Rule: general.Sensitive Process Accessed
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: SENSITIVE_PROCESS_ACCESS
Confidence: 93% ยท Verdict: false positive
Event Data:
EVENTS:
[{'event': {'BASE_ADDRESS': 140702525030400, 'COMMAND_LINE': 'C:\\WINDOWS\\system32\\lsass.exe', 'CREATION_TIME': 1773245868875, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\WINDOWS\\system32\\lsass.exe', 'HASH': '055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115', 'MEMORY_USAGE': 19705856, 'PARENT': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume3\\Windows\\System32\\wininit.exe', 'HASH': 'ba26910be549b8700c08fbe2f160952288864470a30dd35c3c6b7782f7dbf857', 'MEMORY_USAGE': 7323648, 'PARENT_PROCESS_ID': 720, 'PROCESS_ID': 840, 'THIS_ATOM': '58b1f2a11a942a48999a6fbd69b1964c', 'THREADS': 1, 'TIMESTAMP': 1773246028618, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'PARENT_PROCESS_ID': 840, 'PROCESS_ID': 980, 'THREADS': 16, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'routing': {'arch': 2, 'did': '', 'event_id': '8eb7b72c-540b-49e7-b7fa-d36cdf5ba6c4', 'event_time': 1773246029212, 'event_type': 'EXISTING_PROCESS', 'ext_ip': '23.128.32.10', 'hostname': 'desktop-3nfb237', 'iid': 'b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175', 'int_ip': '192.168.50.40', 'latency': 1222196782, 'moduleid': 2, 'oid': 'd3541070-8b0e-4663-8a6a-aa0727aacd36', 'parent': '58b1f2a11a942a48999a6fbd69b1964c', 'plat': 268435456, 'sid': 'ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136', 'tags': ['fusion-soc-alert', 'fusion-soc-case', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusionsoc-critical', 'fusionsoc-high', 'fusionsoc-investigated', 'qucikbooks', 'windows', 'yara_detection_memory'], 'this': 'b2fe617fb2365f162bc5846069b1964d'}}, {'event': {'ACCESS_FLAGS': 5136, 'PARENT_PROCESS_ID': 14996, 'PROCESS_ID': 980, 'SOURCE': {'BASE_ADDRESS': 140701110697984, 'COMMAND_LINE': 'C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe -secured -Embedding', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe', 'HASH': '8bbdead7357af7bf0efe397f9fd7e0ec578755eb8bdbaa65ae4f28ef00087ad5', 'MEMORY_USAGE': 14049280, 'PARENT_ATOM': '1119881e297798c20354762169b1968c', 'PARENT_PROCESS_ID': 676, 'PROCESS_ID': 14996, 'THIS_ATOM': '515448fa5368f6aee169af6269c1b77a', 'THREADS': 13, 'TIMESTAMP': 1774303097403, 'USER_NAME': 'NT AUTHORITY\\NETWORK SERVICE'}, 'TARGET': {'BASE_ADDRESS': 140702525030400, 'COMMAND_LINE': 'C:\\WINDOWS\\system32\\lsass.exe', 'CREATION_TIME': 1773245868875, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\WINDOWS\\system32\\lsass.exe', 'HASH': '055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115', 'MEMORY_USAGE': 19705856, 'PARENT_ATOM': '58b1f2a11a942a48999a6fbd69b1964c', 'PARENT_PROCESS_ID': 840, 'PROCESS_ID': 980, 'THIS_ATOM': 'b2fe617fb2365f162bc5846069b1964d', 'THREADS': 16, 'TIMESTAMP': 1773246029212, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}}, 'routing': {'arch': 2, 'did': '', 'event_id': '32152f0f-a21e-470b-af07-18133cfe39be', 'event_time': 1774468224929, 'event_type': 'REMOTE_PROCESS_HANDLE', 'ext_ip': '23.128.32.10', 'hostname': 'desktop-3nfb237', 'iid': 'b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175', 'int_ip': '192.168.50.40', 'latency': 1065, 'moduleid': 2, 'oid': 'd3541070-8b0e-4663-8a6a-aa0727aacd36', 'parent': '515448fa5368f6aee169af6269c1b77a', 'plat': 268435456, 'sid': 'ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136', 'tags': ['fusion-soc-alert', 'fusion-soc-case', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusionsoc-critical', 'fusionsoc-high', 'fusionsoc-investigated', 'qucikbooks', 'windows', 'yara_detection_memory'], 'target': 'b2fe617fb2365f162bc5846069b1964d', 'this': 'f132ac84331fd984eed79cea69c43c80'}}]
IOCs:
d53e90af814f61e09bff87a883a3b0dcb7dcf883f17a2425a62a2d4b5a9407fb
055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\lsass.exe
MITRE:
T1003.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Sensitive Process Accessed",
"detect": {
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140702525030400,
"COMMAND_LINE": "C:\\WINDOWS\\system32\\lsass.exe",
"CREATION_TIME": 1773245868875,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\WINDOWS\\system32\\lsass.exe",
"HASH": "055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115",
"MEMORY_USAGE": 19705856,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume3\\Windows\\System32\\wininit.exe",
"HASH": "ba26910be549b8700c08fbe2f160952288864470a30dd35c3c6b7782f7dbf857",
"MEMORY_USAGE": 7323648,
"PARENT_PROCESS_ID": 720,
"PROCESS_ID": 840,
"THIS_ATOM": "58b1f2a11a942a48999a6fbd69b1964c",
"THREADS": 1,
"TIMESTAMP": 1773246028618,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 840,
"PROCESS_ID": 980,
"THREADS": 16,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "8eb7b72c-540b-49e7-b7fa-d36cdf5ba6c4",
"event_time": 1773246029212,
"event_type": "EXISTING_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 1222196782,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "58b1f2a11a942a48999a6fbd69b1964c",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "b2fe617fb2365f162bc5846069b1964d"
}
},
{
"event": {
"ACCESS_FLAGS": 5136,
"PARENT_PROCESS_ID": 14996,
"PROCESS_ID": 980,
"SOURCE": {
"BASE_ADDRESS": 140701110697984,
"COMMAND_LINE": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe",
"HASH": "8bbdead7357af7bf0efe397f9fd7e0ec578755eb8bdbaa65ae4f28ef00087ad5",
"MEMORY_USAGE": 14049280,
"PARENT_ATOM": "1119881e297798c20354762169b1968c",
"PARENT_PROCESS_ID": 676,
"PROCESS_ID": 14996,
"THIS_ATOM": "515448fa5368f6aee169af6269c1b77a",
"THREADS": 13,
"TIMESTAMP": 1774303097403,
"USER_NAME": "NT AUTHORITY\\NETWORK SERVICE"
},
"TARGET": {
"BASE_ADDRESS": 140702525030400,
"COMMAND_LINE": "C:\\WINDOWS\\system32\\lsass.exe",
"CREATION_TIME": 1773245868875,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\WINDOWS\\system32\\lsass.exe",
"HASH": "055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115",
"MEMORY_USAGE": 19705856,
"PARENT_ATOM": "58b1f2a11a942a48999a6fbd69b1964c",
"PARENT_PROCESS_ID": 840,
"PROCESS_ID": 980,
"THIS_ATOM": "b2fe617fb2365f162bc5846069b1964d",
"THREADS": 16,
"TIMESTAMP": 1773246029212,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "32152f0f-a21e-470b-af07-18133cfe39be",
"event_time": 1774468224929,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 1065,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "515448fa5368f6aee169af6269c1b77a",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"target": "b2fe617fb2365f162bc5846069b1964d",
"this": "f132ac84331fd984eed79cea69c43c80"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "bf5ea938-b010-473a-9283-97b996c6b362",
"event_time": 1774468224944,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 1050,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "515448fa5368f6aee169af6269c1b77a",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"target": "b2fe617fb2365f162bc5846069b1964d",
"this": "d6f9db05fcf51a319bac283a69c43c80"
}
},
"detect_id": "bda5ff79-647f-4013-886d-11b169c43c81",
"gen_time": 1774468225994,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468224\u0026selected=d6f9db05fcf51a319bac283a69c43c80",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "bf5ea938-b010-473a-9283-97b996c6b362",
"event_time": 1774468224944,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 1050,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "515448fa5368f6aee169af6269c1b77a",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"target": "b2fe617fb2365f162bc5846069b1964d",
"this": "d6f9db05fcf51a319bac283a69c43c80"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.Sensitive Process Accessed",
"ts": 1774468227000
}
๐ Threat Intel JSON
{
"virustotal": [
{
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
},
{
"malicious": false,
"provider": "virustotal",
"reputation": -10,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 1,
"type-unsupported": 4,
"undetected": 71
}
},
{
"malicious": false,
"provider": "virustotal",
"reputation": 10,
"stats": {
"confirmed-timeout": 0,
"failure": 1,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 71
}
}
]
}
๐ค Triage JSON
{
"confidence": 0.933,
"false_positive_reason": "Legitimate software installer behavior (msiexec.exe custom action) triggering on LSASS access during installation.",
"investigation_questions": [
"Is there a known QuickBooks update or installation scheduled for this host?",
"Does the \u0027Cas.SecureStorage.CustomActions\u0027 belong to a known legitimate vendor used in the environment?"
],
"ioc_analysis": "The hash of msiexec.exe (d53e90af814f61e09bff87a883a3b0dcb7dcf883f17a2425a62a2d4b5a9407fb) and lsass.exe (055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115) are both clean and correspond to legitimate Microsoft system binaries. The custom action MSIB4EC.tmp invoking Cas.SecureStorage.CustomActions is typical for installers and does not indicate malicious intent.",
"iocs_extracted": [
"d53e90af814f61e09bff87a883a3b0dcb7dcf883f17a2425a62a2d4b5a9407fb",
"055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115",
"C:\\WINDOWS\\system32\\msiexec.exe",
"C:\\WINDOWS\\system32\\lsass.exe"
],
"mitre_techniques": [
"T1003.001"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Mark this detection as a False Positive in LimaCharlie.",
"Consider tuning the \u0027general.Sensitive Process Accessed\u0027 rule to exclude signed msiexec.exe processes in this environment if this behavior is frequent."
],
"risk_score": 10,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection of msiexec.exe accessing lsass.exe with PROCESS_ALL_ACCESS occurred during a legitimate software installation process, likely QuickBooks, as indicated by the sensor tags and the execution of the \u0027Cas.SecureStorage.CustomActions\u0027 custom action. The msiexec.exe and lsass.exe binaries are both signed Microsoft system files located in their expected directories, and no other suspicious activity was found on the sensor.\n\n**IOC Analysis:** The hash of msiexec.exe (d53e90af814f61e09bff87a883a3b0dcb7dcf883f17a2425a62a2d4b5a9407fb) and lsass.exe (055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115) are both clean and correspond to legitimate Microsoft system binaries. The custom action MSIB4EC.tmp invoking Cas.SecureStorage.CustomActions is typical for installers and does not indicate malicious intent.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection of lsass.exe access is a false positive because the process is Microsoft-signed and running from its expected location in System32 under SYSTEM privileges. Investigation confirms this activity occurred during legitimate software installation or update operations involving msiexec.exe.\n\n**IOC Analysis:** lsass.exe is a known Windows system binary located at C:\\WINDOWS\\System32\\ with a valid Microsoft signature (FILE_IS_SIGNED: 1). The process was spawned by wininit.exe, a legitimate Windows initialization process. No suspicious behavior or unsigned binaries were detected in the process tree.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection event involves a legitimate system process accessing lsass.exe, which is a core Windows binary. The context indicates this is part of a common false positive scenario during software updates or system maintenance, with no malicious indicators present.\n\n**IOC Analysis:** The FILE_PATH \u0027C:\\WINDOWS\\system32\\lsass.exe\u0027 is a known Windows system binary located in a trusted directory, and it is signed, indicating legitimacy. The parent process \u0027C:\\Windows\\System32\\wininit.exe\u0027 is also a known system binary running from its expected location. The event is consistent with benign system activity, such as software installation or maintenance, as confirmed by investigation results.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 90% confidence)",
"qwen3.5:4b +RAG: false_positive (informational, 95% confidence)",
"deepseek-r1:8b +RAG: false_positive (informational, 95% confidence)"
],
"votes": [
{
"confidence": 0.9,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found |
๐ Add Note
๐ฌ Notes (10)
๐ค FusionSOC AI
2026-03-25T23:03
๐ค FusionSOC AI
2026-03-25T23:03
๐ค FusionSOC AI
2026-03-25T23:03
๐ค FusionSOC AI
2026-03-25T21:55
๐ค FusionSOC AI
2026-03-25T21:55
๐ค FusionSOC AI
2026-03-25T21:50
๐ค FusionSOC AI
2026-03-25T21:50
๐ค FusionSOC AI
2026-03-25T21:50
๐ค FusionSOC AI
2026-03-25T21:50
๐ค FusionSOC AI
2026-03-25T21:50
๐ Timeline
2026-03-26T14:34:17
analyst
Status changed: investigating โ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T23:03:55
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ FALSE POSITIVE) - gemini-cli: false_positive (low, 90% c...
2026-03-25T23:03:37
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T23:03:37
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-25T23:03:37
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Consider tuning the 'general.Sensitive Process Accessed' rule to exclude sig...
2026-03-25T23:03:35
FusionSOC
Response action queued: recommended on Consider tuning the 'general.Sensitive Process Accessed' rule to exclude signed msiexec.exe processes in this environment if this behavior is frequent.
2026-03-25T23:03:35
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T23:03:35
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T23:03:35
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Mark this detection as a False Positive in LimaCharlie. **Sensor:** `ed8f7c3f-3a...
2026-03-25T23:03:35
FusionSOC
Response action queued: recommended on Mark this detection as a False Positive in LimaCharlie.
2026-03-25T23:03:35
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T23:03:34
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:55:36
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T21:55:17
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T21:55:17
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T21:55:17
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T21:55:17
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T21:55:17
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T21:55:17
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:50:29
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ FALSE POSITIVE) - gemini-cli: false_positive (low, 95% c...
2026-03-25T21:50:14
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T21:50:14
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T21:50:14
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Tune the detection rule to exclude msiexec.exe when it is signed by Microsoft an...
2026-03-25T21:50:14
FusionSOC
Response action queued: recommended on Tune the detection rule to exclude msiexec.exe when it is signed by Microsoft and running as SYSTEM.
2026-03-25T21:50:14
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T21:50:14
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-25T21:50:14
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Monitor for similar access from unsigned or atypical processes. **Sensor:** ...
2026-03-25T21:50:12
FusionSOC
Response action queued: recommended on Monitor for similar access from unsigned or atypical processes.
2026-03-25T21:50:12
FusionSOC AI
Status changed: open โ investigating
2026-03-25T21:50:12
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T21:50:12
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this case as a false positive. **Sensor:** `ed8f7c3f-3a1a-49...` **Time Wi...
2026-03-25T21:50:12
FusionSOC
Response action queued: recommended on Close this case as a false positive.
2026-03-25T21:50:12
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T21:50:12
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:50:12
FusionSOC AI
Detection bda5ff79-647f-4013-886d-11b169c43c81 triaged as false_positive (low severity, confidence: 95%)
2026-03-25T21:50:12
FusionSOC AI
Case created from detection: general.Sensitive Process Accessed