↓ Skip to main content

[Writeup] LetsDefend - SOC119 - Proxy - Malicious Executable File Detected - EventID 83

February 11 2026

LetsDefend False_Positive SIEM SOC VirusTotal Writeup

Table of Contents

Table of Contents

Welcome!
#

LetsDefend is a Blue Team Training platform.
This writeup is for an alert on the LetsDefend simulated SOC.

The Alert:
#

Alright! Proxy alert, it was allowed. List of actions:

Copy the event details over to my notes.
I’ll create the case.
Enter the request URL into VirusTotal.
Enter the destination Hostname into VirusTotal.
Enter the destination IP into VirusTotal.

VirusTotal:
#

All green, and the domain is quite old. Hmm, I’ll do a quick Google search.

Google:
#

First non-advertisement result for WinRAR is indeed that domain. This is likely a false positive.

Playbook:
#

Let’s follow the SOC’s Playbook.

Yep, have it in the notes:

Source Address: 172.16.17.5
Destination Address: 51.195.68.163
User-Agent: Chrome - Windows

Log Management:
#

Alright, let’s move over to that tab and look up logs associated with:

The Source: 172.16.17.5
The Destination: 51.195.68.163

Going out to the website, there is only this one log that triggered the alert.

From the endpoint (filtering based on the alert event time), we get the same log. We can go back to the Case Management tab and continue with the playbook.

Playbook (continued):
#

We looked at this at the beginning; it’s not a malicious domain.

We have the URL the system alerted on, so let’s attach it and note that it’s benign and what it’s related to.

Time to write a note:

Checked the reputation of URL, domain, and IP on VirusTotal and Google.

False Positive - WinRAR

Clean Up:
#

I put the same note I put before:

Checked the reputation of URL, domain, and IP on VirusTotal and Google.

False Positive - WinRAR

Results:
#

Hope this helps!

Author

Reed Eggleston

Exploring Cybersecurity from Policy to Packets