This detection rule identifies the execution of the legitimate software 'ngrok.exe' on Windows systems, utilizing data from Endpoint Detection and Response (EDR) agents to monitor process names and their command-line arguments. Ngrok is commonly used to set up secure tunnels, but its misuse by threat actors raises security concerns, as it can be employed to bypass network defenses, facilitate data exfiltration, or maintain persistence on compromised systems. The rule captures abnormal usage patterns indicative of such malicious intent by filtering specific command-line arguments associated with the startup of ngrok.exe. The implementation requires ingesting comprehensive logs from the EDR agents to ensure effective detection.