Suspicious PowerShell Execution

Informational Escalated

ALR-00416 · 2026-05-21T20:20:57Z

Description

Encoded PowerShell command executed on WS-MAC-005 by user 'system'. Command attempts to download and execute remote payload. Flagged by Email Gateway.

Alert Metadata

Alert ID: ALR-00416
Timestamp: 2026-05-21T20:20:57Z
Severity: Informational
Status: Escalated
Detection Source: Email Gateway
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: WS-MAC-005
User Account: system
Source IP: 194.3.62.154
Destination IP: 10.0.230.220
Origin Country: NL Netherlands

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

20:20:57 Event ingested by SOC365 Engine

20:21:01 EmilyAI triage started — correlation enrichment

20:21:10 EmilyAI confidence: 82% — escalated to human analyst

20:21:22 Alert assigned to analyst: EmilyAI (auto)

20:23:54 Investigation started — querying SIEM and threat intelligence

20:29:39 Containment action taken — endpoint isolated

20:36:40 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00037	3h ago	Tor Exit Node Connection	High	Escalated	WS-MAC-005
ALR-00216	8h ago	Shadow IT Discovery	Medium	Resolved	WS-MAC-005
ALR-00422	9h ago	Unauthorised USB Device	Medium	False Positive	WS-MAC-005
ALR-00019	10h ago	Suspicious Scheduled Task	Medium	False Positive	WS-MAC-005
ALR-00111	12h ago	C2 Beacon Activity	Medium	Escalated	WS-MAC-005