Suspicious PowerShell Execution

Medium False Positive

ALR-00389 · 2026-04-05T19:01:07Z

Description

Encoded PowerShell command executed on VM-DEV-01 by user 'l.johnson'. Command attempts to download and execute remote payload. Flagged by Email Gateway.

Alert Metadata

Alert ID: ALR-00389
Timestamp: 2026-04-05T19:01:07Z
Severity: Medium
Status: False Positive
Detection Source: Email Gateway
Assigned Analyst: Marcus Webb

Endpoint Information

Hostname: VM-DEV-01
User Account: l.johnson
Source IP: 91.91.195.194
Destination IP: 10.3.75.139
Origin Country: IN India

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

19:01:07 Event ingested by SOC365 Engine

19:01:12 EmilyAI triage started — correlation enrichment

19:01:15 EmilyAI confidence: 79% — escalated to human analyst

19:01:46 Alert assigned to analyst: Marcus Webb

19:03:40 Investigation started — querying SIEM and threat intelligence

19:10:32 Containment action taken — endpoint isolated

19:18:50 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00305	16m ago	Failed MFA Challenge	Informational	Resolved	VM-DEV-01
ALR-00157	2h ago	Suspicious PowerShell Execution	Medium	Resolved	WS-LAP-012
ALR-00082	2h ago	Rogue DHCP Server	Low	False Positive	VM-DEV-01
ALR-00354	4h ago	Suspicious PowerShell Execution	Informational	False Positive	WS-MAC-005
ALR-00092	18h ago	Suspicious Scheduled Task	Informational	Open	VM-DEV-01