SharpHound Recon Attack – How AI enhanced the threat hunt

At Cisco Live AMER 2026, a novel approach to security operations was implemented by integrating an AI-driven security agent with always-on, full packet capture technology. This setup aimed to automate threat hunting and analysis, protecting conference attendees and infrastructure.
The core of this innovation lies in providing the Agentic SOC with access to comprehensive network data via Endace's full packet capture. This rich data source serves as a forensic goldmine for AI, offering unparalleled context and evidence for incident response and threat hunting.

The system was tasked with assessing a potential SharpHound reconnaissance attack. Within minutes, the AI agent provided an accurate assessment, concluding that the observed activity was a benign near-miss. This rapid analysis significantly reduced the manual effort typically required for such investigations.
The architecture combined Endace full packet capture with AI capabilities from Cisco XDR and Splunk Enterprise Security. A custom agentic tool was developed to orchestrate these components, creating a Tier-2 SOC analyst that could investigate incidents end-to-end.
This agent pulled context from Cisco XDR, retrieved relevant packet data from Endace, and queried Splunk logs autonomously. The result was a structured report detailing the incident, gathered data, reasoning, and disposition, empowering even novice analysts.

During the threat hunt, analysts initially observed suspicious LDAP sessions from attendee devices, theorizing it could be SharpHound reconnaissance. The AI agent was then deployed to investigate this potential threat.
The agent's process involved reading the XDR incident, accessing packet capture for the specific session, and gathering supporting evidence from Splunk logs. It autonomously performed a blast-radius check by reviewing all packet data within a defined window.
In this instance, the AI agent correctly identified the activity as benign, recommending the incident be closed. The system also demonstrated a learning capability, correcting an initial error in time interpretation and updating its skill file for future reference.
This integration of Agentic AI with full packet capture represents a significant advancement in SOC productivity and security, enabling human analysts to focus on more critical threats.





