Suspicious PowerShell Execution

Medium Investigating

ALR-00085 · 2026-04-07T11:28:53Z

Description

Encoded PowerShell command executed on WS-MAC-005 by user 'm.taylor'. Command attempts to download and execute remote payload. Flagged by Network IDS.

Alert Metadata

Alert ID: ALR-00085
Timestamp: 2026-04-07T11:28:53Z
Severity: Medium
Status: Investigating
Detection Source: Network IDS
Assigned Analyst: James Okonkwo

Endpoint Information

Hostname: WS-MAC-005
User Account: m.taylor
Source IP: 194.33.62.7
Destination IP: 10.2.90.131
Origin Country: CN China

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

11:28:53 Event ingested by SOC365 Engine

11:28:57 EmilyAI triage started — correlation enrichment

11:29:00 EmilyAI confidence: 96% — escalated to human analyst

11:29:37 Alert assigned to analyst: James Okonkwo

11:30:06 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00206	8h ago	DLP Policy Violation	Low	Resolved	WS-MAC-005
ALR-00343	12h ago	Rogue DHCP Server	Informational	Escalated	WS-MAC-005
ALR-00401	17h ago	Data Exfiltration Attempt	Low	Investigating	WS-MAC-005
ALR-00007	1d ago	Tor Exit Node Connection	Low	Escalated	WS-MAC-005
ALR-00163	1d ago	Suspicious PowerShell Execution	Medium	Resolved	WS-MAC-005