Suspicious PowerShell Execution

Medium Resolved

ALR-00396 · 2026-04-10T01:34:41Z

Description

Encoded PowerShell command executed on WS-LAP-010 by user 'l.johnson'. Command attempts to download and execute remote payload. Flagged by Endpoint Agent.

Alert Metadata

Alert ID: ALR-00396
Timestamp: 2026-04-10T01:34:41Z
Severity: Medium
Status: Resolved
Detection Source: Endpoint Agent
Assigned Analyst: Marcus Webb

Endpoint Information

Hostname: WS-LAP-010
User Account: l.johnson
Source IP: 194.50.62.254
Destination IP: 10.1.78.59
Origin Country: NG Nigeria

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

01:34:41 Event ingested by SOC365 Engine

01:34:42 EmilyAI triage started — correlation enrichment

01:34:53 EmilyAI confidence: 93% — escalated to human analyst

01:35:02 Alert assigned to analyst: Marcus Webb

01:37:30 Investigation started — querying SIEM and threat intelligence

01:43:49 Containment action taken — endpoint isolated

01:50:51 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00360	2h ago	Suspicious PowerShell Execution	Informational	False Positive	WS-LAP-010
ALR-00258	3h ago	Ransomware Behaviour Detected	Informational	Open	WS-LAP-010
ALR-00296	11h ago	Pass-the-Hash Detected	Informational	Resolved	WS-LAP-010
ALR-00419	13h ago	Phishing Email Blocked	Low	Open	WS-LAP-010
ALR-00321	18h ago	Certificate Anomaly	Low	Open	WS-LAP-010