Suspicious PowerShell Execution

Informational Resolved

ALR-00025 · 2026-04-06T11:40:41Z

Description

Encoded PowerShell command executed on WS-LAP-010 by user 'e.evans'. Command attempts to download and execute remote payload. Flagged by Email Gateway.

Alert Metadata

Alert ID: ALR-00025
Timestamp: 2026-04-06T11:40:41Z
Severity: Informational
Status: Resolved
Detection Source: Email Gateway
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: WS-LAP-010
User Account: e.evans
Source IP: 194.16.62.9
Destination IP: 10.3.34.140
Origin Country: GB United Kingdom

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

11:40:41 Event ingested by SOC365 Engine

11:40:44 EmilyAI triage started — correlation enrichment

11:40:50 EmilyAI confidence: 78% — escalated to human analyst

11:40:56 Alert assigned to analyst: EmilyAI (auto)

11:43:27 Investigation started — querying SIEM and threat intelligence

11:46:20 Containment action taken — endpoint isolated

11:54:40 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00009	1h ago	Anomalous DNS Query	Medium	Investigating	WS-LAP-010
ALR-00093	7h ago	Data Exfiltration Attempt	Informational	Open	WS-LAP-010
ALR-00448	17h ago	Suspicious PowerShell Execution	Medium	Open	VM-DEV-01
ALR-00453	18h ago	DLP Policy Violation	Low	False Positive	WS-LAP-010
ALR-00455	18h ago	Brute Force SSH	Medium	Open	WS-LAP-010