โ
Case #569
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
low
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 94% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\MpDlpService.exe
HASH:
fff53cd4c0845462cb39c5dfd66172138022e4b9a7fe1aa9b87698f319290335
PROCESS_ID:
17988
IOCs:
fff53cd4c0845462cb39c5dfd66172138022e4b9a7fe1aa9b87698f319290335
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\MpDlpService.exe
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpDlpService.exe",
"HASH": "fff53cd4c0845462cb39c5dfd66172138022e4b9a7fe1aa9b87698f319290335",
"PROCESS_ID": 17988
},
"routing": {
"arch": 2,
"did": "",
"event_id": "180c64c0-8075-46a3-84c1-c5271c243654",
"event_time": 1774468113221,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6919,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "af88a7caafde4423ae3561eb69c43c17"
}
},
"detect_id": "2179cca5-3dac-4712-bb6b-7d2269c43c18",
"gen_time": 1774468120140,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468113\u0026selected=af88a7caafde4423ae3561eb69c43c17",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "180c64c0-8075-46a3-84c1-c5271c243654",
"event_time": 1774468113221,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6919,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "af88a7caafde4423ae3561eb69c43c17"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774468120000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 4,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 18,
"type-unsupported": 4,
"undetected": 50
}
}
}
๐ค Triage JSON
{
"confidence": 0.943,
"false_positive_reason": "legitimate_system_activity",
"investigation_questions": [
"Confirm if a Windows Defender update was scheduled or performed at the time of detection."
],
"ioc_analysis": "MpDlpService.exe is a known-good Microsoft binary. The hash fff53cd4c0845462cb39c5dfd66172138022e4b9a7fe1aa9b87698f319290335 is associated with legitimate Microsoft software and has been consistently enriched as non-malicious. The file path is typical for temporary update extraction.",
"iocs_extracted": [
"fff53cd4c0845462cb39c5dfd66172138022e4b9a7fe1aa9b87698f319290335",
"C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpDlpService.exe"
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Whitelist known Microsoft components in the \u0027NEW FILE WRITE BYTES SAMPLE GRAB\u0027 rule to reduce noise.",
"Verify the digital signature of the file if additional assurance is needed."
],
"risk_score": 8,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.98\nThe detection is a false positive involving the legitimate Microsoft Windows Defender Data Loss Prevention Service (MpDlpService.exe) being written to a temporary directory. This is standard behavior during Windows Defender update or installation processes where components are extracted to GUID-named subdirectories within C:\\Windows\\Temp.\n\n**IOC Analysis:** MpDlpService.exe is a known-good Microsoft binary. The hash fff53cd4c0845462cb39c5dfd66172138022e4b9a7fe1aa9b87698f319290335 is associated with legitimate Microsoft software and has been consistently enriched as non-malicious. The file path is typical for temporary update extraction.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection is a false positive involving the legitimate Microsoft Windows Defender Data Loss Prevention Service (MpDlpService.exe) being written to a temporary directory during standard update or installation processes.\n\n**IOC Analysis:** The process path C:\\Windows\\Temp\\...\\MpDlpService.exe matches known Windows Defender behavior where components are extracted to GUID-named subdirectories within Temp. The hash and process name correspond to legitimate Microsoft-signed binaries, and the investigation confirmed no suspicious file activity or malicious command-line arguments.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event is a false positive triggered by the legitimate Windows Defender Data Loss Prevention Service (MpDlpService.exe) being extracted to the temporary directory during a system update. This is standard behavior and not malicious.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpDlpService.exe, which is part of Windows Defender\u0027s update process. The hash matches a known legitimate Microsoft binary. According to investigation results, this is benign as it is standard for temporary file extraction during updates.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 98% confidence)",
"qwen3.5:4b +RAG: false_positive (informational, 95% confidence)",
"deepseek-r1:8b +RAG: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.98,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"had_rag": true,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | File Activity Investigation: 0 events found | ||
| recommended | executed | File Activity Investigation: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-25T22:19
๐ค FusionSOC AI
2026-03-25T22:19
๐ค FusionSOC AI
2026-03-25T22:19
๐ค FusionSOC AI
2026-03-25T22:19
๐ Timeline
2026-03-26T14:34:17
analyst
Status changed: investigating โ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T22:19:35
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ FALSE POSITIVE) - gemini-cli: false_positive (low, 98% c...
2026-03-25T22:19:19
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:19:19
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-25T22:19:19
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Verify the digital signature of the file if additional assurance is needed....
2026-03-25T22:19:19
FusionSOC
Response action queued: recommended on Verify the digital signature of the file if additional assurance is needed.
2026-03-25T22:19:19
FusionSOC AI
Status changed: open โ investigating
2026-03-25T22:19:19
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-25T22:19:19
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Whitelist known Microsoft components in the 'NEW FILE WRITE BYTES SAMPLE GR...
2026-03-25T22:19:16
FusionSOC
Response action queued: recommended on Whitelist known Microsoft components in the 'NEW FILE WRITE BYTES SAMPLE GRAB' rule to reduce noise.
2026-03-25T22:19:16
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:19:16
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:19:16
FusionSOC AI
Detection 2179cca5-3dac-4712-bb6b-7d2269c43c18 triaged as false_positive (low severity, confidence: 98%)
2026-03-25T22:19:16
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB