This detection rule identifies the execution of the ngrok tool within *nix environments, leveraging various indicators such as command-line arguments and TCP port usages commonly associated with remote connections. Ngrok is a legitimate tool used for tunneling traffic through firewalls, but has unfortunately been abused by threat actors for unauthorized lateral movement and data exfiltration. The logic utilizes Splunk's search capabilities to detect the execution of ngrok by looking for specific command-line signatures, including the presence of configuration files and particular TCP ports (139, 445, 3389, 5985, 5986) that are associated with remote access services. The output is organized by time and host, providing context on user actions that may indicate malicious use of ngrok.