Suspicious PowerShell Execution

High Escalated

ALR-00220 · 2026-05-24T15:44:41Z

Description

Encoded PowerShell command executed on SRV-MAIL-01 by user 'd.walker'. Command attempts to download and execute remote payload. Flagged by Attack Surface Scanner.

Alert Metadata

Alert ID: ALR-00220
Timestamp: 2026-05-24T15:44:41Z
Severity: High
Status: Escalated
Detection Source: Attack Surface Scanner
Assigned Analyst: Sarah Chen

Endpoint Information

Hostname: SRV-MAIL-01
User Account: d.walker
Source IP: 45.16.148.150
Destination IP: 10.0.71.226
Origin Country: GB United Kingdom

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

15:44:41 Event ingested by SOC365 Engine

15:44:45 EmilyAI triage started — correlation enrichment

15:44:47 EmilyAI confidence: 82% — escalated to human analyst

15:45:12 Alert assigned to analyst: Sarah Chen

15:47:27 Investigation started — querying SIEM and threat intelligence

15:53:23 Containment action taken — endpoint isolated

15:59:43 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00245	1h ago	Phishing Email Blocked	Low	Resolved	SRV-MAIL-01
ALR-00004	21h ago	Suspicious PowerShell Execution	Medium	Resolved	WS-LAP-010
ALR-00064	1d ago	Ransomware Behaviour Detected	Low	Open	SRV-MAIL-01
ALR-00240	1d ago	C2 Beacon Activity	Low	Investigating	SRV-MAIL-01
ALR-00095	1d ago	Brute Force SSH	Medium	Escalated	SRV-MAIL-01