List Unblocked Ngrok Events in Symantec with KQL
This article covers how to use a KQL (Kusto Query Language) script to list Ngrok activity detected by Symantec Endpoint Protection but left unblocked. The query filters relevant security and risk logs in Microsoft Sentinel, focusing on specific event descriptions indicating Ngrok traffic that triggered alerts but was not blocked. This helps security teams monitor potential risks from Ngrok tunnels that evade automated blocking, providing insight into usernames, IP addresses, traffic direction, and intrusion URLs.
Risk
Ngrok, a tool often used for tunneling local services to the internet, can be exploited to bypass perimeter defenses. Unblocked Ngrok activity detected by Symantec Endpoint Protection indicates potential security gaps where malicious traffic may traverse undetected. Without proper monitoring, attackers could use these tunnels for data exfiltration or command and control, making timely detection crucial.
Query
Microsoft Sentinel
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Ngrok Activity"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescriptionQuery Description:
This KQL query scans the Symantec Endpoint Protection logs collected in Microsoft Sentinel for any Ngrok-related audit events where an attack was detected but not blocked. It then summarizes the count of such alerts grouped by user and network attributes to help identify patterns or recurring incidents.