Suspicious PowerShell Execution

Low Resolved

ALR-00426 · 2026-04-07T06:37:46Z

Description

Encoded PowerShell command executed on WS-LAP-010 by user 'a.wilson'. Command attempts to download and execute remote payload. Flagged by SOC365 Engine.

Alert Metadata

Alert ID: ALR-00426
Timestamp: 2026-04-07T06:37:46Z
Severity: Low
Status: Resolved
Detection Source: SOC365 Engine
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: WS-LAP-010
User Account: a.wilson
Source IP: 45.130.148.96
Destination IP: 10.2.12.122
Origin Country: FR France

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

06:37:46 Event ingested by SOC365 Engine

06:37:48 EmilyAI triage started — correlation enrichment

06:37:51 EmilyAI confidence: 89% — escalated to human analyst

06:38:23 Alert assigned to analyst: EmilyAI (auto)

06:39:52 Investigation started — querying SIEM and threat intelligence

06:44:55 Containment action taken — endpoint isolated

06:49:54 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00362	7h ago	Suspicious PowerShell Execution	Medium	Investigating	WS-MAC-005
ALR-00368	9h ago	Suspicious PowerShell Execution	Low	Open	WS-PC-004
ALR-00189	15h ago	Suspicious Scheduled Task	Low	False Positive	WS-LAP-010
ALR-00121	1d ago	Port Scan Detected	Medium	False Positive	WS-LAP-010
ALR-00473	1d ago	Pass-the-Hash Detected	Low	Resolved	WS-LAP-010