Suspicious PowerShell Execution

Informational Resolved

ALR-00108 · 2026-05-21T16:08:50Z

Description

Encoded PowerShell command executed on SRV-APP-01 by user 'j.smith'. Command attempts to download and execute remote payload. Flagged by SOC365 Engine.

Alert Metadata

Alert ID: ALR-00108
Timestamp: 2026-05-21T16:08:50Z
Severity: Informational
Status: Resolved
Detection Source: SOC365 Engine
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: SRV-APP-01
User Account: j.smith
Source IP: 103.160.216.162
Destination IP: 10.3.145.92
Origin Country: RO Romania

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

16:08:50 Event ingested by SOC365 Engine

16:08:52 EmilyAI triage started — correlation enrichment

16:08:57 EmilyAI confidence: 97% — escalated to human analyst

16:09:34 Alert assigned to analyst: EmilyAI (auto)

16:10:45 Investigation started — querying SIEM and threat intelligence

16:18:10 Containment action taken — endpoint isolated

16:27:58 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00152	1h ago	Suspicious PowerShell Execution	Low	Investigating	WS-LAP-011
ALR-00056	4h ago	Tor Exit Node Connection	Informational	Open	SRV-APP-01
ALR-00037	8h ago	Tor Exit Node Connection	Medium	Investigating	SRV-APP-01
ALR-00485	8h ago	Suspicious PowerShell Execution	Low	Open	WS-PC-003
ALR-00364	9h ago	Suspicious PowerShell Execution	Low	Escalated	WS-PC-006