Suspicious PowerShell Execution
Informational
Resolved
ALR-00362 · 2026-07-06T21:55:22Z
Description
Encoded PowerShell command executed on WS-MAC-005 by user 'p.thomas'. Command attempts to download and execute remote payload. Flagged by Email Gateway.
Alert Metadata
Endpoint Information
MITRE ATT&CK Mapping
Investigation Timeline
21:55:22
Event ingested by SOC365 Engine
21:55:25
EmilyAI triage started — correlation enrichment
21:55:28
EmilyAI confidence: 94% — escalated to human analyst
21:55:55
Alert assigned to analyst: EmilyAI (auto)
21:56:30
Investigation started — querying SIEM and threat intelligence
22:00:30
Containment action taken — endpoint isolated
22:08:17
Alert resolved — remediation complete
Related Alerts
| ID | Time | Alert | Severity | Status | Host |
|---|---|---|---|---|---|
| ALR-00201 | 2h ago | Data Exfiltration Attempt | Low | Resolved | WS-MAC-005 |
| ALR-00285 | 7h ago | Tor Exit Node Connection | Informational | Investigating | WS-MAC-005 |
| ALR-00397 | 20h ago | Rogue DHCP Server | Informational | Resolved | WS-MAC-005 |
| ALR-00449 | 1d ago | Suspicious PowerShell Execution | Informational | Resolved | SRV-DC-01 |
| ALR-00328 | 1d ago | Port Scan Detected | Medium | Investigating | WS-MAC-005 |