Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Ngrok Reverse Proxy on Network ASIM DNS Solution

Ngrok Reverse Proxy on Network ASIM DNS Solution

Back
Id50b0dfb7-2c94-4eaf-a332-a5936d78c263
RulenameNgrok Reverse Proxy on Network (ASIM DNS Solution)
DescriptionThis detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.
SeverityMedium
TacticsCommandAndControl
TechniquesT1572
T1090
T1102
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml
Version1.0.0
Arm template50b0dfb7-2c94-4eaf-a332-a5936d78c263.json
Deploy To Azure
// Define a list of Ngrok domains
let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
// Query the _Im_Dns function for the past 1 hour
_Im_Dns(starttime=ago(1h))
| where isnotempty(DnsQuery) // Filter out empty DNS queries
| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
// Summarize the data by Domain, DNS query, source IP address, and device Dvc

status: Available
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml
tags:
- SchemaVersion: 0.1.6
  Schema: ASimDns
name: Ngrok Reverse Proxy on Network (ASIM DNS Solution)
entityMappings:
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Domain
    identifier: DomainName
  entityType: DNS
triggerThreshold: 0
requiredDataConnectors: []
query: |
  // Define a list of Ngrok domains
  let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
  // Query the _Im_Dns function for the past 1 hour
  _Im_Dns(starttime=ago(1h))
  | where isnotempty(DnsQuery) // Filter out empty DNS queries
  | where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
  | summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
  // Summarize the data by Domain, DNS query, source IP address, and device Dvc  
triggerOperator: gt
id: 50b0dfb7-2c94-4eaf-a332-a5936d78c263
relevantTechniques:
- T1572
- T1090
- T1102
tactics:
- CommandAndControl
severity: Medium
description: |
    'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'
kind: Scheduled
queryFrequency: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 1h