โ
Case #566
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
high
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 62% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\MsMpEng.exe
HASH:
e6df61405204f85417456e7beb2d2eccc81ae45e2869df6518ef476178f43c67
PROCESS_ID:
17988
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MsMpEng.exe",
"HASH": "e6df61405204f85417456e7beb2d2eccc81ae45e2869df6518ef476178f43c67",
"PROCESS_ID": 17988
},
"routing": {
"arch": 2,
"did": "",
"event_id": "7fe35dab-3fef-4c7a-85d8-29b00c6c5f2d",
"event_time": 1774468114658,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6322,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "e3c73a606fa283aff60e037669c43c17"
}
},
"detect_id": "8338396d-5713-4f38-9761-54e169c43c18",
"gen_time": 1774468120980,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468114\u0026selected=e3c73a606fa283aff60e037669c43c17",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "7fe35dab-3fef-4c7a-85d8-29b00c6c5f2d",
"event_time": 1774468114658,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6322,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "e3c73a606fa283aff60e037669c43c17"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774468121000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 71
}
}
}
๐ค Triage JSON
{
"confidence": 0.617,
"false_positive_reason": null,
"investigation_questions": [],
"ioc_analysis": "",
"iocs_extracted": [],
"mitre_techniques": [],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"Manual review required"
],
"risk_score": 23,
"severity": "high",
"summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because MsMpEng.exe (Microsoft Anti-Malware Engine) is a legitimate Windows Defender process that runs from the Temp directory during updates or scans. The investigation found no suspicious activity and historical feedback consistently marked this as benign.\n\n**IOC Analysis:** The process path C:\\Windows\\Temp\\... is atypical for MsMpEng.exe which typically resides in System32, but Microsoft allows temporary execution locations during updates. The hash matches known legitimate Windows Defender binaries, and the child process MpSigStub.exe running with SYSTEM privileges confirms this is a standard Windows Update/Defender maintenance operation.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection flagged a new file write in the Temp directory, but investigation confirmed no malicious activity. The file MsMpEng.exe is likely part of Microsoft Security Essentials or similar legitimate software.\n\n**IOC Analysis:** FILE_PATH is in C:\\Windows\\Temp, which can be atypical, but MsMpEng.exe is a known Microsoft binary for antivirus functions. The hash should be verified for signatures, but context and investigation indicate legitimacy.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 3,
"vote_summary": [
"gemini-cli: true_positive (medium, 0% confidence)",
"qwen3.5:4b +RAG: false_positive (informational, 95% confidence)",
"deepseek-r1:8b +RAG: false_positive (informational, 90% confidence)"
],
"votes": [
{
"confidence": 0.0,
"model": "gemini-cli",
"verdict": "true_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"had_rag": true,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-25T22:55
๐ค FusionSOC AI
2026-03-25T22:54
๐ค FusionSOC AI
2026-03-25T22:07
๐ค FusionSOC AI
2026-03-25T22:07
๐ค FusionSOC AI
2026-03-25T22:07
๐ Timeline
2026-03-26T14:34:17
analyst
Status changed: investigating โ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T22:55:11
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T22:54:52
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:54:52
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:54:52
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T22:54:51
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T22:54:51
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:54:51
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:07:59
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T22:07:40
FusionSOC AI
Status changed: open โ investigating
2026-03-25T22:07:40
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:07:40
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T22:07:40
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T22:07:40
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:07:40
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:07:39
FusionSOC AI
Detection 8338396d-5713-4f38-9761-54e169c43c18 triaged as true_positive (medium severity, confidence: 0%)
2026-03-25T22:07:39
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB