LoFP LoFP / t1102

t1102

TitleTags
false positives may be present if ngrok is an authorized utility. filter as needed.
false positives will be present based on organizations that allow the use of ngrok. filter or monitor as needed.
legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. the desktop and browser applications do not appear to be using the api by default unless integrations are configured.
legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. this is environmental dependent and requires further testing and tuning.
legitimate applications communicating with the telegram api e.g. web browsers not in the exclusion list, app with an rss etc.
legitimate sub processes started by manage engine servicedesk pro
legitimate usage of cloudflared tunnel.
legitimate usage of cloudflared.
legitimate use of ngrok
legitimate use of telegram bots in the company
legitimate use of the localtonet service.
legitimate use of the ngrok service.
ninite contacting githubusercontent.com
noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. in this case, a filter is needed.
one might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from microsoft defender.
user activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)