โ†

Case #567

general.NEW FILE WRITE BYTES SAMPLE GRAB

high closed false positive

๐Ÿท๏ธ Analyst Verdict Classification

FP by analyst

๐Ÿค– AI Analysis

๐Ÿ”” Detections (1)

New Code Atypical Path high
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 60% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\NisSrv.exe
HASH:
28825cafbd9b10716201dcc272e986309f130bee4759dd11aa3812448ab0907f
PROCESS_ID:
17988
Analyst Declaration:
๐Ÿ“„ Raw Detection JSON 
{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Code Atypical Path",
  "detect": {
    "event": {
      "FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\NisSrv.exe",
      "HASH": "28825cafbd9b10716201dcc272e986309f130bee4759dd11aa3812448ab0907f",
      "PROCESS_ID": 17988
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "eb609401-c258-4958-8b08-b7d0111b9ee8",
      "event_time": 1774468114876,
      "event_type": "NEW_DOCUMENT",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-3nfb237",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.40",
      "latency": 6216,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "9727bc761f07cc5e5c90b93a69c43c07",
      "plat": 268435456,
      "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "qucikbooks",
        "windows",
        "yara_detection_memory"
      ],
      "this": "9c74dc570dbd4713e9159e1669c43c18"
    }
  },
  "detect_id": "5d509cad-6388-4b93-bb8a-55ea69c43c19",
  "gen_time": 1774468121092,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468114\u0026selected=9c74dc570dbd4713e9159e1669c43c18",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "eb609401-c258-4958-8b08-b7d0111b9ee8",
    "event_time": 1774468114876,
    "event_type": "NEW_DOCUMENT",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-3nfb237",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.40",
    "latency": 6216,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "9727bc761f07cc5e5c90b93a69c43c07",
    "plat": 268435456,
    "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "qucikbooks",
      "windows",
      "yara_detection_memory"
    ],
    "this": "9c74dc570dbd4713e9159e1669c43c18"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
  "source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
  "ts": 1774468121000
}
๐ŸŒ Threat Intel JSON 
{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 2,
      "type-unsupported": 4,
      "undetected": 70
    }
  }
}
๐Ÿค– Triage JSON 
{
  "confidence": 0.6,
  "false_positive_reason": null,
  "investigation_questions": [],
  "ioc_analysis": "",
  "iocs_extracted": [],
  "mitre_techniques": [],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Manual review required"
  ],
  "risk_score": 28,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged a new file write for NisSrv.exe in the Windows Temp directory, but investigation confirms this is part of legitimate Microsoft Defender Antivirus activity. The process tree shows MpSigStub.exe running under SYSTEM context, which is consistent with normal antivirus scanning behavior.\n\n**IOC Analysis:** NisSrv.exe is a known Microsoft Defender component used for signature updates and scanning. The file location in Windows Temp is typical for temporary extraction of files during scanning operations. The investigation found no suspicious activity and confirmed the process tree matches expected Defender behavior with MpSigStub.exe.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.85\nThe detection flagged a file write in the Windows Temp directory, which is common for legitimate processes but can be exploited. However, the process spawned a benign MpSigStub.exe, and no suspicious activity was found in the investigation window. Historical feedback confirms frequent false positives for this rule.\n\n**IOC Analysis:** FILE_PATH is in C:\\Windows\\Temp, which is not a standard system directory and can be legitimate. HASH is unknown and not verified against known malware databases. The process spawned MpSigStub.exe, a legitimate Microsoft-signed binary, indicating benign activity.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (medium, 0% confidence)",
      "qwen3.5:4b +RAG: false_positive (low, 95% confidence)",
      "deepseek-r1:8b +RAG: false_positive (low, 85% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "had_rag": true,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.85,
        "had_rag": true,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}

โš™๏ธ Response Actions

Action Target Status Result
tag ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated executed Tag applied
recommended Manual review required executed General Activity Sweep: 0 events found

๐Ÿ“ Add Note

๐Ÿ’ฌ Notes (3)

๐Ÿค– FusionSOC AI 2026-03-25T22:11
๐Ÿค– FusionSOC AI 2026-03-25T22:11
๐Ÿค– FusionSOC AI 2026-03-25T22:11

๐Ÿ“œ Timeline

2026-03-26T14:34:17
analyst
Status changed: investigating โ†’ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T22:11:19
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ—ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ†’ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T22:11:01
FusionSOC AI
Status changed: open โ†’ investigating
2026-03-25T22:11:01
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-25T22:11:01
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T22:11:00
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T22:11:00
FusionSOC
Action tag โ†’ executed: Tag applied
2026-03-25T22:11:00
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:11:00
FusionSOC AI
Detection 5d509cad-6388-4b93-bb8a-55ea69c43c19 triaged as true_positive (medium severity, confidence: 0%)
2026-03-25T22:11:00
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB