This rule detects the use of Ngrok, a tunneling service, which attackers exploit to download malicious payloads using short-lived URLs. The analysis indicates that the rule captures `GET` requests containing `.ngrok.io` in the domain, suggesting command and control (C2) activities tied to malware like DOKI. The logic defines web data retrieval via proxy methods with an emphasis on evaluating the HTTP response status and filtering based on unique source and destination IP occurrences. Notably, the rule retains information such as user agents and geographic locations of the destination IPs. Furthermore, it links notable threat actor groups and associate malware to enhance contextual understanding of the observed behaviors in a defined timeframe.