SharpHound Recon Assault – How AI enhanced the menace hunt


Cisco Reside AMER 2026 was the right place to place the Agentic SOC to work, defending the attendees and convention infrastructure. We innovated by giving the Agentic SOC entry to Endace’s always-on, full packet seize, and requested the agent to evaluate a possible SharpHound Recon assault that we had seen whereas menace searching. Inside minutes, the agent returned an correct and descriptive evaluation of the menace, concluding that it was a benign close to miss. This saved us many hours of labor, giving us confidence that the Agentic SOC will likely be an enormous enhance to safety and productiveness. This weblog explores how we constructed the integrations and the way AI helped us with our menace hunt and menace evaluation.

Full Packet Information – A gold mine for Agentic AI

At Cisco Reside AMER 2026 we deployed always-on, full packet seize as a supply of forensic proof, built-in with Agentic AI, to assist the convention SOC directives of Defend, Educate, and Innovate. At all times-on, full packet seize gives distinctive perception into all exercise on the community, delivering important context and proof for Incident Response and Menace Searching groups, in addition to an unmatched knowledge lake of all community exercise for the emergent Agentic SOC.

The problem when human analysts analyze packet knowledge is whether or not they have the experience and expertise to interpret and perceive what packets are telling them: as a result of not everyone seems to be a packet guru.

To make full use of this wealthy community knowledge, we determined to combine Endace full packet seize with the Agentic AI capabilities constructed into Cisco XDR and Splunk Enterprise Safety, together with our customized agentic software. The aim was to empower our incident responders with highly effective proof and reasoning to expedite the decision-making for suspicious exercise. A few of our analysts have been spending their first day ever in a SOC, so our aim was to assist them be productive shortly utilizing Agentic AI. This was additionally an incredible alternative to grasp how Agentic AI helps productiveness within the SOC.

Agentic AI Augmented Structure

Our Agentic SOC Structure is a pure evolution of the SOC Structure now we have been deploying for the final a number of years, closely leveraging telemetry and insights derived from community knowledge we monitor, analyze and seize all through every occasion. We depend on logs generated by Cisco Firepower, Safe Community Analytics, Safe Entry, AI Protection, Splunk Assault Analyzer, Safe Malware Analytics, and EndaceProbe (which additionally generates Zeek logs and reconstructs file content material from the packet knowledge it information). Splunk Enterprise Safety was the repository for all these logs and knowledge, whereas EndaceProbe was the repository for full packet knowledge for your complete week of the occasion.

We applied a Mannequin Context Protocol (MCP) server for Endace to combine with Cisco Cloud Management, permitting us to construct Agentic AI integrations with Splunk, Cisco XDR and different parts of the SOC (see Baz Shaw’s weblog for extra element: Cisco Reside 2026 – Utilizing LLMs and Endace Full Packet Seize for Incident Response).

With the Endace MCP server in place, we constructed a light-weight Agentic Tier-2 SOC analyst that consumes a single XDR incident and investigates it end-to-end. It builds on the agentic capabilities already in our merchandise. Underneath the hood, it combines the Endace MCP (for packet seize and decode) with a Splunk MCP (for querying the Zeek logs and different indexes) and the Cisco XDR APIs (for incident, asset, and observable context), all orchestrated by a reasoning agent that we tailor-made with Cisco Reside context — the venue’s IP ranges, the Splunk index format, and the SOC’s guidelines of engagement. The result’s a single entry level: give it an incident ID, and it pulls the XDR context, retrieves the related Endace packets, runs focused Splunk queries, and returns a structured report. (For the complete structure of the software and the way we constructed it, see the deep-dive: “AIM — Constructing an Agentic Tier-2 SOC Analyst at Cisco Reside AMER 2026.”)

Investigating a Potential SharpHound Assault

At every SOC occasion we spend a few of our time being curious and menace attempting to find suspicious exercise. Beforehand we had seen insecure AD as a severe menace to some attendees at one other Cisco Reside occasion, so we determined to take one other look, first utilizing people moderately than Brokers.

Reviewing the packet knowledge from three days of convention exercise, we shortly discovered a number of LDAP periods initiated within the clear by attendee gadgets. In complete, 48 gadgets have been trying to provoke LDAP binds to exterior LDAP servers utilizing each IPv4 and IPv6 addresses.

The high-profile group names discovered within the LDAP bind requests have been notably regarding. We theorized that the conduct of steady makes an attempt at nameless binds could also be an indication of SharpHound reconnaissance. This recon, if profitable, may end up in LDAP enumeration exposing delicate particulars which may be used to compromise a company.

Agentic AI Massively Speeds our Evaluation

At this level, we determined to make use of Agentic AI capabilities to research and assess this potential menace. Our first step was to create an incident in Cisco XDR. The incident included an outline, the incident time, and an IP tuple and port. Then the XDR Assault Storyboard kicked in as the first agent, delivering an automated first-pass evaluation of the incident. Constructing on prime of that evaluation, our Tier-2 agent (AIM) took it additional — working the incident in phases and deciding every subsequent step based mostly on what the earlier one returned (really agentic). First, it learn the XDR incident context, then pivoted to Endace full packet seize to tug the precise LDAP/389 session (inside an analyst-approved 15-minute seize window) after which gathered extra supporting proof from Splunk logs, all autonomously.

Inside a couple of minutes we have been introduced with a well-written report that described the incident, knowledge gathered, reasoning, evaluation, and disposition together with the subsequent steps. For first-time analysts particularly, this was a goldmine — the Agent interpreted the packets by itself, doing the arduous half. As SOC analysts, we may overview the Agent’s work and take the subsequent steps.

The Agent additionally produced step-by-step execution logs; each question and resolution — so the complete reasoning path might be handed to Tier-3 if escalation is ever wanted — exhibiting precisely the way it reached its conclusion. It even zoomed out to test different attendees within the later time window: a blast-radius test, carried out routinely. On this case, the incident was benign, and the advice was to shut it as a benign/near-miss. As a result of we offer the Agent with entry to At all times-On, full packet knowledge, it was capable of overview all packet knowledge to map out the blast radius fully and assess all incidents of this menace.

Constructing Abilities

It was notably encouraging to see the agent first fail, then study from its mistake. Initially it blended up “occasion time” and “first-seen” time. On the primary go, it discovered no packet proof as a result of it was trying to find the flawed time interval. On the second go, it realized to make use of the “first-seen” time, discovered the packet proof, and wrote that lesson again into its ability file so it might know for subsequent time.

Conclusion

The Agentic SOC, mixing Agentic AI constructed into Endace’s merchandise with customized agentic instruments, is an enormous enhance to productiveness and safety. The well-reasoned assessments it gives enable us people to make quick and strong selections. This, in flip, allows us to focus our valuable time on probably the most severe threats.

Acknowledgements

Our thanks go to the Cisco SOC workforce led by @Jessica Oppenheimer and @Ivan Berlinson for the chance to combine EndaceProbes with the Cisco Reside Agentic SOC structure. The SOC workforce is a group of Cisco and Splunk consultants throughout many domains who have been a pleasure to work and innovate with, and we got here away with an incredible appreciation for the ability of the Cisco Safety and Splunk instruments. The Endace and Cisco groups have been capable of show out integration improvements and check them in earnest in a real-world setting in preparation for making them usually accessible to the market.

Try the blogs by the engineers who labored contained in the SOC at Las Vegas:

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles