Interactive Demo — Simulated data only. Back to SOC in a Box
SOC365 Dashboard
Acme Legal Services Ltd Live 18:01:57 UTC

Suspicious PowerShell Execution

Medium False Positive
ALR-00262 · 2026-05-24T08:35:52Z

Description

Encoded PowerShell command executed on SRV-SQL-01 by user 'a.wilson'. Command attempts to download and execute remote payload. Flagged by DecoyPulse.

Alert Metadata

Alert ID
ALR-00262
Timestamp
2026-05-24T08:35:52Z
Severity
Medium
Status
False Positive
Detection Source
DecoyPulse
Assigned Analyst
James Okonkwo

Endpoint Information

Hostname
SRV-SQL-01
User Account
a.wilson
Source IP
45.163.148.102
Destination IP
10.2.99.140
Origin Country
IR Iran

MITRE ATT&CK Mapping

Tactic
Execution
Technique
T1059.001
Reference
attack.mitre.org/techniques/T1059.001

Investigation Timeline

08:35:52 Event ingested by SOC365 Engine
08:35:56 EmilyAI triage started — correlation enrichment
08:35:59 EmilyAI confidence: 95% — escalated to human analyst
08:36:14 Alert assigned to analyst: James Okonkwo
08:37:46 Investigation started — querying SIEM and threat intelligence
08:42:28 Containment action taken — endpoint isolated
08:48:19 Alert resolved — remediation complete

Related Alerts

ID Time Alert Severity Status Host
ALR-00485 44m ago Brute Force SSH Low False Positive SRV-SQL-01
ALR-00225 11h ago Suspicious Scheduled Task Low False Positive SRV-SQL-01
ALR-00427 18h ago Suspicious PowerShell Execution Informational False Positive WS-MAC-005
ALR-00458 21h ago Pass-the-Hash Detected Low Open SRV-SQL-01
ALR-00355 1d ago Suspicious PowerShell Execution Informational Escalated WS-PC-002