Suspicious PowerShell Execution

Low Investigating

ALR-00452 · 2026-04-06T00:56:17Z

Description

Encoded PowerShell command executed on WS-MAC-005 by user 'h.roberts'. Command attempts to download and execute remote payload. Flagged by DecoyPulse.

Alert Metadata

Alert ID: ALR-00452
Timestamp: 2026-04-06T00:56:17Z
Severity: Low
Status: Investigating
Detection Source: DecoyPulse
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: WS-MAC-005
User Account: h.roberts
Source IP: 103.246.216.166
Destination IP: 10.3.41.164
Origin Country: NL Netherlands

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

00:56:17 Event ingested by SOC365 Engine

00:56:21 EmilyAI triage started — correlation enrichment

00:56:27 EmilyAI confidence: 90% — escalated to human analyst

00:56:36 Alert assigned to analyst: EmilyAI (auto)

00:57:53 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00364	57m ago	Suspicious PowerShell Execution	Low	False Positive	SRV-FILE-01
ALR-00422	1h ago	Data Exfiltration Attempt	Medium	Open	WS-MAC-005
ALR-00002	3h ago	Unusual Outbound Traffic	Low	Investigating	WS-MAC-005
ALR-00176	6h ago	Suspicious PowerShell Execution	Low	False Positive	FW-EDGE-01
ALR-00169	7h ago	Tor Exit Node Connection	Critical	Open	WS-MAC-005