Suspicious PowerShell Execution

Low Open

ALR-00485 · 2026-04-10T12:27:16Z

Description

Encoded PowerShell command executed on FW-EDGE-01 by user 'h.roberts'. Command attempts to download and execute remote payload. Flagged by Endpoint Agent.

Alert Metadata

Alert ID: ALR-00485
Timestamp: 2026-04-10T12:27:16Z
Severity: Low
Status: Open
Detection Source: Endpoint Agent
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: FW-EDGE-01
User Account: h.roberts
Source IP: 185.77.220.8
Destination IP: 10.0.76.43
Origin Country: VN Vietnam

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

12:27:16 Event ingested by SOC365 Engine

12:27:21 EmilyAI triage started — correlation enrichment

12:27:31 EmilyAI confidence: 83% — escalated to human analyst

12:27:39 Alert assigned to analyst: EmilyAI (auto)

12:28:40 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00294	3h ago	DecoyPulse Honeypot Triggered	High	Open	FW-EDGE-01
ALR-00409	7h ago	Rogue DHCP Server	High	Investigating	FW-EDGE-01
ALR-00172	8h ago	Suspicious PowerShell Execution	Critical	Investigating	SRV-BACKUP-01
ALR-00090	10h ago	Suspicious PowerShell Execution	Medium	Investigating	SW-CORE-01
ALR-00177	12h ago	Rogue DHCP Server	Low	Escalated	FW-EDGE-01