Suspicious PowerShell Execution

Informational Investigating

ALR-00370 · 2026-05-21T03:56:27Z

Description

Encoded PowerShell command executed on SRV-FILE-01 by user 'system'. Command attempts to download and execute remote payload. Flagged by SOC365 Engine.

Alert Metadata

Alert ID: ALR-00370
Timestamp: 2026-05-21T03:56:27Z
Severity: Informational
Status: Investigating
Detection Source: SOC365 Engine
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: SRV-FILE-01
User Account: system
Source IP: 91.253.195.227
Destination IP: 10.3.236.133
Origin Country: FR France

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

03:56:27 Event ingested by SOC365 Engine

03:56:31 EmilyAI triage started — correlation enrichment

03:56:34 EmilyAI confidence: 96% — escalated to human analyst

03:57:08 Alert assigned to analyst: EmilyAI (auto)

03:58:07 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00436	1h ago	Suspicious PowerShell Execution	Medium	Open	SRV-APP-01
ALR-00221	5h ago	Anomalous DNS Query	Low	False Positive	SRV-FILE-01
ALR-00250	6h ago	Suspicious PowerShell Execution	High	Escalated	SRV-WEB-01
ALR-00288	8h ago	DLP Policy Violation	Low	Investigating	SRV-FILE-01
ALR-00076	10h ago	Suspicious PowerShell Execution	Low	Open	WS-MAC-005