Wednesday, July 8, 2026
HomeHealthcareSharpHound Recon Assault - How AI enhanced the menace hunt

SharpHound Recon Assault – How AI enhanced the menace hunt

Cisco Reside AMER 2026 was the right place to place the Agentic SOC to work, defending the attendees and convention infrastructure. We innovated by giving the Agentic SOC entry to Endace’s always-on, full packet seize, and requested the agent to evaluate a possible SharpHound Recon assault that we had seen whereas menace searching. Inside minutes, the agent returned an correct and descriptive evaluation of the menace, concluding that it was a benign close to miss. This saved us many hours of labor, giving us confidence that the Agentic SOC can be an enormous enhance to safety and productiveness. This weblog explores how we constructed the integrations and the way AI helped us with our menace hunt and menace evaluation.

Full Packet Information – A gold mine for Agentic AI

At Cisco Reside AMER 2026 we deployed always-on, full packet seize as a supply of forensic proof, built-in with Agentic AI, to assist the convention SOC directives of Defend, Educate, and Innovate. At all times-on, full packet seize gives distinctive perception into all exercise on the community, delivering crucial context and proof for Incident Response and Risk Looking groups, in addition to an unmatched information lake of all community exercise for the emergent Agentic SOC.

The problem when human analysts analyze packet information is whether or not they have the experience and expertise to interpret and perceive what packets are telling them: as a result of not everyone seems to be a packet guru.

To make full use of this wealthy community information, we determined to combine Endace full packet seize with the Agentic AI capabilities constructed into Cisco XDR and Splunk Enterprise Safety, together with our customized agentic instrument. The aim was to empower our incident responders with highly effective proof and reasoning to expedite the decision-making for suspicious exercise. A few of our analysts had been spending their first day ever in a SOC, so our aim was to assist them be productive rapidly utilizing Agentic AI. This was additionally an ideal alternative to know how Agentic AI helps productiveness within the SOC.

Agentic AI Augmented Structure

Our Agentic SOC Structure is a pure evolution of the SOC Structure now we have been deploying for the final a number of years, closely leveraging telemetry and insights derived from community information we monitor, analyze and seize all through every occasion. We depend on logs generated by Cisco Firepower, Safe Community Analytics, Safe Entry, AI Protection, Splunk Assault Analyzer, Safe Malware Analytics, and EndaceProbe (which additionally generates Zeek logs and reconstructs file content material from the packet information it data). Splunk Enterprise Safety was the repository for all these logs and information, whereas EndaceProbe was the repository for full packet information for your entire week of the occasion.

We applied a Mannequin Context Protocol (MCP) server for Endace to combine with Cisco Cloud Management, permitting us to construct Agentic AI integrations with Splunk, Cisco XDR and different parts of the SOC (see Baz Shaw’s weblog for extra element: Cisco Reside 2026 – Utilizing LLMs and Endace Full Packet Seize for Incident Response).

With the Endace MCP server in place, we constructed a light-weight Agentic Tier-2 SOC analyst that consumes a single XDR incident and investigates it end-to-end. It builds on the agentic capabilities already in our merchandise. Below the hood, it combines the Endace MCP (for packet seize and decode) with a Splunk MCP (for querying the Zeek logs and different indexes) and the Cisco XDR APIs (for incident, asset, and observable context), all orchestrated by a reasoning agent that we tailor-made with Cisco Reside context — the venue’s IP ranges, the Splunk index structure, and the SOC’s guidelines of engagement. The result’s a single entry level: give it an incident ID, and it pulls the XDR context, retrieves the related Endace packets, runs focused Splunk queries, and returns a structured report. (For the total structure of the instrument and the way we constructed it, see the deep-dive: “AIM — Constructing an Agentic Tier-2 SOC Analyst at Cisco Reside AMER 2026.”)

Investigating a Potential SharpHound Assault

At every SOC occasion we spend a few of our time being curious and menace looking for suspicious exercise. Beforehand we had seen insecure AD as a critical menace to some attendees at one other Cisco Reside occasion, so we determined to take one other look, first utilizing people reasonably than Brokers.

Reviewing the packet information from three days of convention exercise, we rapidly discovered a number of LDAP periods initiated within the clear by attendee gadgets. In whole, 48 gadgets had been making an attempt to provoke LDAP binds to exterior LDAP servers utilizing each IPv4 and IPv6 addresses.

The high-profile group names discovered within the LDAP bind requests had been notably regarding. We theorized that the conduct of steady makes an attempt at nameless binds could also be an indication of SharpHound reconnaissance. This recon, if profitable, can lead to LDAP enumeration exposing delicate particulars that could be used to compromise a corporation.

Agentic AI Massively Speeds our Evaluation

At this level, we determined to make use of Agentic AI capabilities to research and assess this potential menace. Our first step was to create an incident in Cisco XDR. The incident included an outline, the incident time, and an IP tuple and port. Then the XDR Assault Storyboard kicked in as the first agent, delivering an computerized first-pass evaluation of the incident. Constructing on prime of that evaluation, our Tier-2 agent (AIM) took it additional — working the incident in phases and deciding every subsequent step based mostly on what the earlier one returned (actually agentic). First, it learn the XDR incident context, then pivoted to Endace full packet seize to tug the precise LDAP/389 session (inside an analyst-approved 15-minute seize window) after which gathered extra supporting proof from Splunk logs, all autonomously.

Inside a couple of minutes we had been offered with a well-written report that described the incident, information gathered, reasoning, evaluation, and disposition together with the following steps. For first-time analysts particularly, this was a goldmine — the Agent interpreted the packets by itself, doing the onerous half. As SOC analysts, we might overview the Agent’s work and take the following steps.

The Agent additionally produced step-by-step execution logs; each question and choice — so the total reasoning path could be handed to Tier-3 if escalation is ever wanted — displaying precisely the way it reached its conclusion. It even zoomed out to test different attendees within the later time window: a blast-radius test, achieved mechanically. On this case, the incident was benign, and the advice was to shut it as a benign/near-miss. As a result of we offer the Agent with entry to At all times-On, full packet information, it was in a position to overview all packet information to map out the blast radius solely and assess all incidents of this menace.

Constructing Abilities

It was notably encouraging to see the agent first fail, then be taught from its mistake. Initially it combined up “occasion time” and “first-seen” time. On the primary go, it discovered no packet proof as a result of it was looking for the unsuitable time interval. On the second go, it realized to make use of the “first-seen” time, discovered the packet proof, and wrote that lesson again into its ability file so it might know for subsequent time.

Conclusion

The Agentic SOC, mixing Agentic AI constructed into Endace’s merchandise with customized agentic instruments, is an enormous enhance to productiveness and safety. The well-reasoned assessments it gives enable us people to make quick and strong choices. This, in flip, allows us to focus our treasured time on probably the most critical threats.

Acknowledgements

Our thanks go to the Cisco SOC staff led by @Jessica Oppenheimer and @Ivan Berlinson for the chance to combine EndaceProbes with the Cisco Reside Agentic SOC structure. The SOC staff is a group of Cisco and Splunk specialists throughout many domains who had been a pleasure to work and innovate with, and we got here away with an ideal appreciation for the facility of the Cisco Safety and Splunk instruments. The Endace and Cisco groups had been in a position to show out integration improvements and check them in earnest in a real-world setting in preparation for making them typically out there to the market.

Try the blogs by the engineers who labored contained in the SOC at Las Vegas:

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments