This analytic rule is designed to detect the use of Ngrok reverse proxy tools based on DNS queries to its domains, notably "*.ngrok.com" and "*.ngrok.io". Ngrok is a legitimate tool that creates secure tunnels to local servers for public access, but it has been exploited by adversaries to avoid detection and facilitate covert communications and data exfiltration. The rule utilizes the Network Resolution data model, querying for DNS requests that match specific Ngrok patterns. Incidents where DNS queries from internal sources to Ngrok domains are detected could indicate potential threats requiring investigation, especially if these requests originate from corporate devices. Therefore, while Ngrok's usage isn't categorically malicious, its adoption by attackers for nefarious purposes necessitates careful monitoring and response to any suspicious activity.