โ†

Case #572

general.NEW FILE WRITE BYTES SAMPLE GRAB

high closed false positive

๐Ÿท๏ธ Analyst Verdict Classification

FP by analyst

๐Ÿค– AI Analysis

๐Ÿ”” Detections (1)

New Code Atypical Path high
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 62% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\DlpUserAgent.exe
HASH:
bd0207d59c13bca939d1e9b79eedadcdd0eebd52c78bd6f659e3ede52d44ccc3
PROCESS_ID:
17988
Analyst Declaration:
๐Ÿ“„ Raw Detection JSON 
{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Code Atypical Path",
  "detect": {
    "event": {
      "FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\DlpUserAgent.exe",
      "HASH": "bd0207d59c13bca939d1e9b79eedadcdd0eebd52c78bd6f659e3ede52d44ccc3",
      "PROCESS_ID": 17988
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "190e794a-f14e-44d0-a47c-dda84caf8778",
      "event_time": 1774468112236,
      "event_type": "NEW_DOCUMENT",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-3nfb237",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.40",
      "latency": 2844,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "9727bc761f07cc5e5c90b93a69c43c07",
      "plat": 268435456,
      "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "qucikbooks",
        "windows",
        "yara_detection_memory"
      ],
      "this": "ccfee5e1dea71267f9542c7469c43c12"
    }
  },
  "detect_id": "f6c41f33-9c2a-43df-918f-839f69c43c13",
  "gen_time": 1774468115080,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468112\u0026selected=ccfee5e1dea71267f9542c7469c43c12",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "190e794a-f14e-44d0-a47c-dda84caf8778",
    "event_time": 1774468112236,
    "event_type": "NEW_DOCUMENT",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-3nfb237",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.40",
    "latency": 2844,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "9727bc761f07cc5e5c90b93a69c43c07",
    "plat": 268435456,
    "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "qucikbooks",
      "windows",
      "yara_detection_memory"
    ],
    "this": "ccfee5e1dea71267f9542c7469c43c12"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
  "source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
  "ts": 1774468115000
}
๐ŸŒ Threat Intel JSON 
{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 4,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 18,
      "type-unsupported": 4,
      "undetected": 50
    }
  }
}
๐Ÿค– Triage JSON 
{
  "confidence": 0.617,
  "false_positive_reason": null,
  "investigation_questions": [],
  "ioc_analysis": "",
  "iocs_extracted": [],
  "mitre_techniques": [],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Manual review required"
  ],
  "risk_score": 27,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged a new file write in the Windows Temp directory, but investigation reveals it is part of Microsoft Defender SmartScreen signature stub execution, which is a legitimate Windows security component.\n\n**IOC Analysis:** The process DlpUserAgent.exe spawned MpSigStub.exe running under SYSTEM context. This pattern matches known Microsoft Defender behavior for validating application signatures. The file location in Temp is standard for temporary execution artifacts, and the investigation found no suspicious activity or malicious indicators.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves a file write in the Windows Temp directory, but investigation confirmed no malicious activity. The child process MpSigStub.exe is legitimate, and the file path and hash do not indicate known threats.\n\n**IOC Analysis:** The FILE_PATH is in C:\\Windows\\Temp, which can be legitimate for temporary files. The hash is not verified against known malware databases, but the presence of a legitimate child process (MpSigStub.exe) and no suspicious activity in the investigation window suggest benign behavior. IOC validation rules indicate that processes like MpSigStub.exe are typically legitimate.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (medium, 0% confidence)",
      "qwen3.5:4b +RAG: false_positive (low, 95% confidence)",
      "deepseek-r1:8b +RAG: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "had_rag": true,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "had_rag": true,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}

โš™๏ธ Response Actions

Action Target Status Result
tag ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated executed Tag applied
recommended Manual review required executed General Activity Sweep: 0 events found

๐Ÿ“ Add Note

๐Ÿ’ฌ Notes (3)

๐Ÿค– FusionSOC AI 2026-03-25T22:34
๐Ÿค– FusionSOC AI 2026-03-25T22:34
๐Ÿค– FusionSOC AI 2026-03-25T22:34

๐Ÿ“œ Timeline

2026-03-26T14:34:17
analyst
Status changed: investigating โ†’ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T23:59:50
analyst
Analyst classified as False Positive (FP)
2026-03-25T22:34:52
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ—ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ†’ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T22:34:35
FusionSOC AI
Status changed: open โ†’ investigating
2026-03-25T22:34:35
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-25T22:34:35
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T22:34:34
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T22:34:34
FusionSOC
Action tag โ†’ executed: Tag applied
2026-03-25T22:34:34
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:34:34
FusionSOC AI
Detection f6c41f33-9c2a-43df-918f-839f69c43c13 triaged as true_positive (medium severity, confidence: 0%)
2026-03-25T22:34:34
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB