Suspicious PowerShell Execution

Medium Open

ALR-00205 · 2026-05-25T18:31:06Z

Description

Encoded PowerShell command executed on WS-PC-006 by user 'c.williams'. Command attempts to download and execute remote payload. Flagged by Cloud Connector.

Alert Metadata

Alert ID: ALR-00205
Timestamp: 2026-05-25T18:31:06Z
Severity: Medium
Status: Open
Detection Source: Cloud Connector
Assigned Analyst: Emma Richardson

Endpoint Information

Hostname: WS-PC-006
User Account: c.williams
Source IP: 45.28.148.234
Destination IP: 10.3.199.232
Origin Country: NL Netherlands

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

18:31:06 Event ingested by SOC365 Engine

18:31:10 EmilyAI triage started — correlation enrichment

18:31:12 EmilyAI confidence: 79% — escalated to human analyst

18:31:28 Alert assigned to analyst: Emma Richardson

18:34:05 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00339	38m ago	Suspicious PowerShell Execution	Low	Investigating	WS-PC-001
ALR-00157	9h ago	Suspicious PowerShell Execution	Informational	Escalated	VM-DEV-01
ALR-00038	11h ago	Suspicious PowerShell Execution	Low	Escalated	SRV-DC-01
ALR-00077	13h ago	Certificate Anomaly	Low	Resolved	WS-PC-006
ALR-00233	14h ago	Suspicious PowerShell Execution	High	Open	WS-LAP-011