Suspicious PowerShell Execution

Medium False Positive

ALR-00270 · 2026-05-22T05:03:56Z

Description

Encoded PowerShell command executed on SRV-SQL-01 by user 'l.johnson'. Command attempts to download and execute remote payload. Flagged by Endpoint Agent.

Alert Metadata

Alert ID: ALR-00270
Timestamp: 2026-05-22T05:03:56Z
Severity: Medium
Status: False Positive
Detection Source: Endpoint Agent
Assigned Analyst: Emma Richardson

Endpoint Information

Hostname: SRV-SQL-01
User Account: l.johnson
Source IP: 103.32.216.201
Destination IP: 10.0.191.200
Origin Country: UA Ukraine

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

05:03:56 Event ingested by SOC365 Engine

05:03:57 EmilyAI triage started — correlation enrichment

05:04:10 EmilyAI confidence: 78% — escalated to human analyst

05:04:35 Alert assigned to analyst: Emma Richardson

05:04:46 Investigation started — querying SIEM and threat intelligence

05:13:06 Containment action taken — endpoint isolated

05:19:35 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00244	1h ago	Suspicious PowerShell Execution	Medium	Investigating	SRV-FILE-01
ALR-00167	3h ago	Suspicious PowerShell Execution	Medium	Open	AP-WIFI-03
ALR-00119	4h ago	Certificate Anomaly	Low	Escalated	SRV-SQL-01
ALR-00484	9h ago	Unauthorised USB Device	Low	Open	SRV-SQL-01
ALR-00102	11h ago	Suspicious PowerShell Execution	Low	Resolved	SRV-DC-01