Suspicious PowerShell Execution

High Investigating

ALR-00063 · 2026-05-24T14:39:26Z

Description

Encoded PowerShell command executed on SRV-DC-01 by user 'n.clark'. Command attempts to download and execute remote payload. Flagged by EmilyAI Triage.

Alert Metadata

Alert ID: ALR-00063
Timestamp: 2026-05-24T14:39:26Z
Severity: High
Status: Investigating
Detection Source: EmilyAI Triage
Assigned Analyst: Marcus Webb

Endpoint Information

Hostname: SRV-DC-01
User Account: n.clark
Source IP: 91.219.195.52
Destination IP: 10.2.238.154
Origin Country: CN China

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

14:39:26 Event ingested by SOC365 Engine

14:39:30 EmilyAI triage started — correlation enrichment

14:39:37 EmilyAI confidence: 91% — escalated to human analyst

14:39:54 Alert assigned to analyst: Marcus Webb

14:41:27 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00244	1h ago	Suspicious PowerShell Execution	Medium	Investigating	SRV-FILE-01
ALR-00167	3h ago	Suspicious PowerShell Execution	Medium	Open	AP-WIFI-03
ALR-00335	7h ago	Malware Signature Match	Low	False Positive	SRV-DC-01
ALR-00219	8h ago	Lateral Movement Detected	Informational	False Positive	SRV-DC-01
ALR-00440	10h ago	Unauthorised USB Device	Informational	Resolved	SRV-DC-01