Suspicious PowerShell Execution

Low Investigating

ALR-00328 · 2026-05-25T13:21:04Z

Description

Encoded PowerShell command executed on WS-LAP-010 by user 'h.roberts'. Command attempts to download and execute remote payload. Flagged by Email Gateway.

Alert Metadata

Alert ID: ALR-00328
Timestamp: 2026-05-25T13:21:04Z
Severity: Low
Status: Investigating
Detection Source: Email Gateway
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: WS-LAP-010
User Account: h.roberts
Source IP: 103.15.216.131
Destination IP: 10.1.210.242
Origin Country: VN Vietnam

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

13:21:04 Event ingested by SOC365 Engine

13:21:09 EmilyAI triage started — correlation enrichment

13:21:17 EmilyAI confidence: 80% — escalated to human analyst

13:21:25 Alert assigned to analyst: EmilyAI (auto)

13:22:36 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00475	42m ago	Failed MFA Challenge	Medium	Investigating	WS-LAP-010
ALR-00304	1h ago	Pass-the-Hash Detected	Low	False Positive	WS-LAP-010
ALR-00291	2h ago	Suspicious PowerShell Execution	Medium	Investigating	SRV-SQL-01
ALR-00118	11h ago	Suspicious PowerShell Execution	Informational	False Positive	WS-PC-004
ALR-00133	11h ago	Suspicious PowerShell Execution	Low	Resolved	WS-LAP-012