Interactive Demo — Simulated data only. Back to SOC in a Box
SOC365 Dashboard
Acme Legal Services Ltd Live 19:44:00 UTC

Suspicious PowerShell Execution

Medium Escalated
ALR-00443 · 2026-07-05T09:15:52Z

Description

Encoded PowerShell command executed on VM-DEV-01 by user 'l.johnson'. Command attempts to download and execute remote payload. Flagged by DLP Module.

Alert Metadata

Alert ID
ALR-00443
Timestamp
2026-07-05T09:15:52Z
Severity
Medium
Status
Escalated
Detection Source
DLP Module
Assigned Analyst
Marcus Webb

Endpoint Information

Hostname
VM-DEV-01
User Account
l.johnson
Source IP
103.197.216.79
Destination IP
10.2.150.2
Origin Country
FR France

MITRE ATT&CK Mapping

Tactic
Execution
Technique
T1059.001
Reference
attack.mitre.org/techniques/T1059.001

Investigation Timeline

09:15:52 Event ingested by SOC365 Engine
09:15:54 EmilyAI triage started — correlation enrichment
09:16:00 EmilyAI confidence: 86% — escalated to human analyst
09:16:21 Alert assigned to analyst: Marcus Webb
09:17:10 Investigation started — querying SIEM and threat intelligence
09:20:14 Containment action taken — endpoint isolated
09:33:58 Alert resolved — remediation complete

Related Alerts

ID Time Alert Severity Status Host
ALR-00087 15h ago Unauthorised USB Device Low False Positive VM-DEV-01
ALR-00431 16h ago Suspicious PowerShell Execution Medium Resolved SRV-FILE-01
ALR-00117 1d ago Suspicious PowerShell Execution Low False Positive WS-LAP-011
ALR-00128 1d ago Suspicious PowerShell Execution Low False Positive WS-PC-003
ALR-00135 1d ago Suspicious PowerShell Execution Low Open SRV-WEB-01