Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Ngrok Reverse Proxy on Network ASIM DNS Solution

Ngrok Reverse Proxy on Network ASIM DNS Solution

Back
Id50b0dfb7-2c94-4eaf-a332-a5936d78c263
RulenameNgrok Reverse Proxy on Network (ASIM DNS Solution)
DescriptionThis detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.
SeverityMedium
TacticsCommandAndControl
TechniquesT1572
T1090
T1102
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml
Version1.0.0
Arm template50b0dfb7-2c94-4eaf-a332-a5936d78c263.json
Deploy To Azure
// Define a list of Ngrok domains
let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
// Query the _Im_Dns function for the past 1 hour
_Im_Dns(starttime=ago(1h))
| where isnotempty(DnsQuery) // Filter out empty DNS queries
| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
// Summarize the data by Domain, DNS query, source IP address, and device Dvc

query: |
  // Define a list of Ngrok domains
  let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
  // Query the _Im_Dns function for the past 1 hour
  _Im_Dns(starttime=ago(1h))
  | where isnotempty(DnsQuery) // Filter out empty DNS queries
  | where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
  | summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
  // Summarize the data by Domain, DNS query, source IP address, and device Dvc  
name: Ngrok Reverse Proxy on Network (ASIM DNS Solution)
relevantTechniques:
- T1572
- T1090
- T1102
status: Available
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
- entityType: DNS
  fieldMappings:
  - columnName: Domain
    identifier: DomainName
queryFrequency: 1h
requiredDataConnectors: []
kind: Scheduled
version: 1.0.0
triggerOperator: gt
description: |
    'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'
tactics:
- CommandAndControl
queryPeriod: 1h
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml
severity: Medium
tags:
- SchemaVersion: 0.1.6
  Schema: ASimDns
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 50b0dfb7-2c94-4eaf-a332-a5936d78c263