The detection rule 'Detect SharpHound Usage' identifies instances of the SharpHound binary, specifically 'SharpHound.exe', used typically during the reconnaissance phase of network attacks. This analytic utilizes data from Endpoint Detection and Response (EDR) agents, focusing on key attributes such as process name, original filename, and command-line execution details. SharpHound is instrumental in Active Directory enumeration, allowing attackers to gather information about the network layout, identify high-value targets, and orchestrate further malicious activities like privilege escalation and lateral movement. The rule aggregates events from Sysmon and Windows security logs, leveraging the Splunk data model for an efficient search and analysis process. Comprehensive implementation requires correctly ingesting and mapping necessary logs through Splunk's Common Information Model (CIM).