This analytic rule detects the use of Ngrok, a tool often employed as a reverse proxy, on Linux operating systems. By analyzing telemetry from Endpoint Detection and Response (EDR) agents, the rule scrutinizes specific process names and command-line arguments typically associated with Ngrok usage. The significance of this detection lies in Ngrok's potential misuse by adversaries to create reverse proxies, which can facilitate unauthorized access and actions such as data exfiltration. A configured detection mechanism looks for distinct command-line patterns and process behaviors indicative of Ngrok's operation, allowing organizations to identify and respond to potential security incidents swiftly.